CVE-2025-40906CRITICAL 9.8EPSS p40.8%

CVE-2025-40906CVE-2025-40906

Description

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.53% probability of exploitation · percentile 40.8% · 2026-06-19T12:03:05Z
Published2025-05-16
Last modified2026-04-15

Underlying weaknesses· 3

CWE-122CWE-190CWE-1104

References

  1. https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html
  2. https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890

3

TypeTargetConfidenceTier
WeaknessUse of Unmaintained Third Party Componentscwe-11040%live
WeaknessHeap-based Buffer Overflowcwe-1220%live
WeaknessInteger Overflow or Wraparoundcwe-1900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4176
CVE
CVE-2026-9740
CVE
MongoDB mongo-express Remote Code Execution Vulnerability
CVE
CVE-2026-8201
CVE
CVE-2025-15444
CVE
CVE-2025-40912
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.