CVE-2025-40906: 
Linux Debian vulnerability analysis and mitigation

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which contains multiple security vulnerabilities. This vulnerability was disclosed on May 16, 2025. BSON-XS, which was the official Perl XS implementation of MongoDB's BSON serialization, has reached its end of life as of August 13, 2020, and is no longer supported (NVD, MongoDB EOL).

The vulnerability encompasses several critical security issues in the bundled libbson 1.1.7 library, including CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. The CVSS v3.1 base score is 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-1104 (Use of Unmaintained Third Party Components) (NVD, Debian LTS).

The vulnerabilities in the bundled libbson library can lead to multiple severe security issues including heap-based buffer over-read, infinite loops, memory corruption, buffer overflows, and potential application crashes. These issues could result in denial of service, remote code execution, or information disclosure (Debian LTS).

For Debian 11 bullseye, these vulnerabilities have been fixed in version 0.8.4-1+deb11u1. Users are strongly recommended to upgrade their libbson-xs-perl packages. However, since BSON-XS has reached end-of-life status, users should consider migrating to alternative supported BSON implementations (Debian LTS).