GHSA-mwcc-7vpp-xmv9

Source

https://github.com/advisories/GHSA-mwcc-7vpp-xmv9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-mwcc-7vpp-xmv9/GHSA-mwcc-7vpp-xmv9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mwcc-7vpp-xmv9

Aliases

CVE-2025-12119

Published

2025-11-19T00:31:24Z

Modified

2025-11-20T14:27:55.640425Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory

Details

A mongocbulkoperation_t may read invalid memory if large options are passed.

Database specific

{
    "github_reviewed_at": "2025-11-19T18:54:37Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-825"
    ],
    "nvd_published_at": "2025-11-18T22:15:45Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / mongodb/mongodb-extension

Package

Name: mongodb/mongodb-extension
Purl: pkg:composer/mongodb/mongodb-extension

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.21.2

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.2.0

0.3.0

0.3.1

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

0.6.2

0.6.3

1.*

1.0.0alpha1

1.0.0alpha2

1.0.0beta1

1.0.0beta2

1.0.0RC0

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.2.0alpha1

1.2.0alpha2

1.2.0alpha3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.20.0

1.20.1

1.21.0

1.21.1