Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1
AnalysisAI
MongoDB C Driver bson_validate function returns early on specific inputs and incorrectly reports successful validation, allowing malformed or invalid UTF-8 sequences in BSON data to bypass validation checks. This affects MongoDB C Driver versions prior to 1.30.5, 2.0.0, and 2.0.1, and impacts applications that depend on this validation function to process untrusted BSON data. Authenticated remote attackers can exploit this to inject invalid BSON data, potentially causing integrity issues in downstream processing; EPSS 0.48 indicates this is a moderate-priority issue that warrants patching but is not among the highest-risk vulnerabilities.
Technical ContextAI
BSON (Binary JSON) is MongoDB's internal binary serialization format used for data storage and transmission. The bson_validate function is a critical security boundary in the MongoDB C Driver (CPE: cpe:2.3:a:mongodb_inc.:c_driver) that validates BSON document structure and encoding, including UTF-8 character sequence correctness. The vulnerability is classified as CWE-20 (Improper Input Validation), a root-cause weakness indicating the validation logic contains a flaw that causes it to exit early under specific input patterns without fully checking all constraints. When the function incorrectly reports success despite incomplete validation, subsequent application code that trusts this result may process malformed BSON as valid, potentially triggering unexpected behavior in database operations or data transformations that depend on well-formed input.
RemediationAI
Upgrade MongoDB C Driver to version 1.30.5 or later for the 1.x branch, or to version 2.0.2 or later for the 2.x branch. Consult the MongoDB JIRA ticket at https://jira.mongodb.org/browse/CDRIVER-6017 for detailed release notes and validation of the fix. If immediate upgrade is not possible, implement secondary BSON validation at the application layer, such as schema validation via MongoDB server-side rules or application-level deserialization checks, to ensure malformed data does not propagate downstream. Test the patched driver thoroughly with existing BSON inputs to confirm compatibility before rolling out to production.
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. Rated medium
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underl
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. Rate
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a co
A mongoc_bulk_operation_t may read invalid memory if large options are passed. Rated medium severity (CVSS 6.9), this vu
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22023
GHSA-q869-m422-4qcv