Cyber Resilience

CVE-2025-40906

Critical

Published: 16 May 2025

Published
16 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 69.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40906 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 30.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has…

more

reached its end of life as of August 13, 2020 and is no longer supported.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

XS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1104

Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones.

addresses: CWE-1104

Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.

addresses: CWE-1104

The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit.

addresses: CWE-1104

Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones.

addresses: CWE-1104

Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use.

addresses: CWE-1104

Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them.

addresses: CWE-1104

Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components.

addresses: CWE-1104

Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies.

References