BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

• https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html
• https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1

• https://nvd.nist.gov/vuln/detail/CVE-2024-6383
• https://jira.mongodb.org/browse/CDRIVER-5628