CVE-2025-0755

CVE-2025-0755 is a buffer overflow vulnerability in the bson_append functions of the MongoDB C driver library (libbson). It occurs when operations produce a BSON document exceeding the maximum allowable size of INT32_MAX, triggering a segmentation fault and potential application crash. The issue affects libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1, and MongoDB Server v7.0 versions prior to 7.0.16. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability with low complexity and no privileges or user interaction required. By crafting operations that force the BSON document to exceed INT32_MAX, the attacker triggers the buffer overflow, resulting in a segmentation fault that crashes the affected application. The high impact ratings across confidentiality, integrity, and availability indicate potential for severe disruption, though the primary effect described is denial of service via crash.

Mitigation involves upgrading to patched versions: libbson 1.27.5 or later, MongoDB Server 8.0.1 or later, and MongoDB Server 7.0.16 or later. Official advisories, including MongoDB Jira tickets CDRIVER-5601 and SERVER-94461, detail the fixes, while Debian LTS announcements from May 2025 address backported patches for affected distributions.