CVE-2025-40906

CVE-2025-40906: BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities

Vendor Mongodb
Product BSON::XS
Weakness CWE-1395
Published May 16, 2025
Last update September 9, 2025

CVSS base score

What the vulnerability does

01Description

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Key dates

02Disclosure timeline

May 16, 2025 CVE published
September 9, 2025 Record updated