Moderate severityNVD Advisory· Published Aug 15, 2013· Updated Apr 29, 2026

CVE-2013-2132

Description

bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef."

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pymongoPyPI	< 2.5.2	2.5.2

Affected products

MongoDB/MongoDB14 versions
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*range: <=2.5.1
- cpe:2.3:a:mongodb:mongodb:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:2.5.0:*:*:*:*:*:*:*
Canonical/Ubuntu Linux3 versions
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

Patches

a060c15ef87e

Fix null pointer when decoding invalid DBRef PYTHON-532

https://github.com/mongodb/mongo-python-driverA. Jesse Jiryu DavisMay 31, 2013via ghsa

commit

3 files changed · +35 −3

bson/_cbsonmodule.c+8 −2 modified

@@ -1202,8 +1202,14 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
 
                 Py_INCREF(collection);
                 PyDict_DelItemString(value, "$ref");
-                Py_INCREF(id);
-                PyDict_DelItemString(value, "$id");
+
+                if (id == NULL) {
+                    id = Py_None;
+                    Py_INCREF(id);
+                } else {
+                    Py_INCREF(id);
+                    PyDict_DelItemString(value, "$id");
+                }
 
                 if (database == NULL) {
                     database = Py_None;

bson/__init__.py+1 −1 modified

@@ -150,7 +150,7 @@ def _get_object(data, position, as_class, tz_aware, uuid_subtype):
     object = _elements_to_dict(encoded, as_class, tz_aware, uuid_subtype)
     position += obj_size
     if "$ref" in object:
-        return (DBRef(object.pop("$ref"), object.pop("$id"),
+        return (DBRef(object.pop("$ref"), object.pop("$id", None),
                       object.pop("$db", None), object), position)
     return object, position

test/test_collection.py+26 −0 modified

@@ -30,6 +30,7 @@
 
 from bson.binary import Binary, UUIDLegacy, OLD_UUID_SUBTYPE, UUID_SUBTYPE
 from bson.code import Code
+from bson.dbref import DBRef
 from bson.objectid import ObjectId
 from bson.py3compat import b
 from bson.son import SON
@@ -1675,6 +1676,31 @@ def test_bad_encode(self):
         self.assertRaises(InvalidDocument, c.save, {"x": c})
         warnings.simplefilter("default")
 
+    def test_bad_dbref(self):
+        c = self.db.test
+        c.drop()
+
+        # Incomplete DBRefs.
+        self.assertRaises(
+            InvalidDocument,
+            c.insert, {'ref': {'$ref': 'collection'}})
+
+        self.assertRaises(
+            InvalidDocument,
+            c.insert, {'ref': {'$id': ObjectId()}})
+
+        ref_only = {'ref': {'$ref': 'collection'}}
+        id_only = {'ref': {'$id': ObjectId()}}
+
+        # Force insert of ref without $id.
+        c.insert(ref_only, check_keys=False)
+        self.assertEqual(DBRef('collection', id=None), c.find_one()['ref'])
+        c.drop()
+
+        # DBRef without $ref is decoded as normal subdocument.
+        c.insert(id_only, check_keys=False)
+        self.assertEqual(id_only, c.find_one())
+
     def test_as_class(self):
         c = self.db.test
         c.drop()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2nvdExploitPatchWEB
ubuntu.com/usn/usn-1897-1nvdVendor Advisory
github.com/advisories/GHSA-x33v-f3gp-gw2cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-2132ghsaADVISORY
bugs.debian.org/cgi-bin/bugreport.cgighsaWEB
github.com/pypa/advisory-database/tree/main/vulns/pymongo/PYSEC-2013-30.yamlghsaWEB
jira.mongodb.org/browse/PYTHON-532nvdWEB
lists.opensuse.org/opensuse-updates/2013-06/msg00180.htmlghsaWEB
seclists.org/oss-sec/2013/q2/447ghsaWEB
ubuntu.com/usn/usn-1897-1ghsaWEB
www.debian.org/security/2013/dsa-2705ghsaWEB
bugs.debian.org/cgi-bin/bugreport.cginvd
lists.opensuse.org/opensuse-updates/2013-06/msg00180.htmlnvd
seclists.org/oss-sec/2013/q2/447nvd
www.debian.org/security/2013/dsa-2705nvd
www.osvdb.org/93804nvd
www.securityfocus.com/bid/60252nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000