CVE-2025-0755
Published: 18 March 2025
Summary
CVE-2025-0755 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws, directly addressing this buffer overflow by mandating upgrades to patched libbson and MongoDB Server versions.
SI-16 implements memory protections like heap guards and randomization to minimize exploitation of heap-based buffer overflows in bson_append functions.
SI-10 enforces validation of inputs to bson_append operations, preventing construction of oversized BSON documents that trigger the overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap-based buffer overflow in bson_append triggers segmentation fault and application crash when BSON size exceeds INT32_MAX, directly enabling adversaries to exploit the vulnerability for denial of service via application or system exploitation.
NVD Description
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and…
more
possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Deeper analysisAI
CVE-2025-0755 is a buffer overflow vulnerability in the bson_append functions of the MongoDB C driver library (libbson). It occurs when operations produce a BSON document exceeding the maximum allowable size of INT32_MAX, triggering a segmentation fault and potential application crash. The issue affects libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1, and MongoDB Server v7.0 versions prior to 7.0.16. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability with low complexity and no privileges or user interaction required. By crafting operations that force the BSON document to exceed INT32_MAX, the attacker triggers the buffer overflow, resulting in a segmentation fault that crashes the affected application. The high impact ratings across confidentiality, integrity, and availability indicate potential for severe disruption, though the primary effect described is denial of service via crash.
Mitigation involves upgrading to patched versions: libbson 1.27.5 or later, MongoDB Server 8.0.1 or later, and MongoDB Server 7.0.16 or later. Official advisories, including MongoDB Jira tickets CDRIVER-5601 and SERVER-94461, detail the fixes, while Debian LTS announcements from May 2025 address backported patches for affected distributions.
Details
- CWE(s)