Detections
Analytics

MongoDB 7.0.x < 7.0.16 / 8.0.x < 8.0.1 Buffer Overflow (SERVER-94461)

high Nessus Plugin ID 241372

Language:

Synopsis

The remote host is missing a security update.

Description

The version of MongoDB installed on the remote host is 7.0 prior to 7.0.16 and 8.0 prior to 8.0.1. It is, therefore, affected by a vulnerability as referenced in the SERVER-94461 advisory.

 - The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16 (CVE-2025-0755)

 Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to MongoDB version 7.0.16 / 8.0.1 or later.

See Also

https://jira.mongodb.org/browse/SERVER-94461

Plugin Details

Severity: High

ID: 241372

File Name: mongodb_server_SERVER-94461.nasl

Version: 1.1

Type: combined

Agent: windows

Family: Misc.

Published: 7/4/2025

Updated: 7/4/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-0755

CVSS v3

Risk Factor: High

Base Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:mongodb:mongodb

Required KB Items: installed_sw/MongoDB

Patch Publication Date: 9/4/2024

Vulnerability Publication Date: 9/4/2024

Reference Information

CVE: CVE-2025-0755

IAVB: 2025-B-0102