CAPEv2 CVE-2025-61301
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.
AnalysisAI
Denial-of-analysis in CAPEv2, the open-source malware analysis sandbox, lets anyone able to submit a sample sabotage the platform's own reporting pipeline. A crafted sample that emits deeply nested or oversized behavior data trips MongoDB BSON size limits or orjson recursion errors in reporting/mongodb.py and reporting/jsondump.py, causing the behavioral report to be truncated or dropped entirely. Rated CVSS 7.5 (availability-only); EPSS is modest at 0.39% (31st percentile) and there is no public exploit identified at time of analysis, though the vector is trivial for anyone who can run a sample.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today