VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 5, 2018· Updated Aug 6, 2024

CVE-2015-4412

CVE-2015-4412

Description

BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BSON injection in `legal?` function of bson-ruby gem before 3.0.4 allows DoS or arbitrary data injection via crafted string.

Vulnerability

The legal? function in the BSON::ObjectId class of the bson-ruby gem before version 3.0.4 contains a BSON injection vulnerability. The flaw arises because the regular expression used to validate hexadecimal ObjectId strings uses ^ and $ anchors instead of \A and \Z. In Ruby, ^ and $ match line boundaries rather than string boundaries, allowing a crafted string containing newline characters to bypass validation [2]. This affects applications using Mongoid, Mongo Mapper, or any library relying on BSON::ObjectId.legal? to validate user-supplied _id values.

Exploitation

An attacker can exploit this by providing a specially crafted string that includes a newline character followed by arbitrary BSON data. For example, a string like 24hexcharacters\n<injected_bson> would pass the legal? check because the regex matches only the first 24 hex characters on the first line [2]. The attacker does not need authentication if the application accepts unauthenticated input as an _id parameter. The injection is performed by sending the malicious string to a service that validates ObjectId using legal?, such as a web endpoint that queries MongoDB based on user-supplied IDs.

Impact

Successful exploitation can lead to denial of service through resource consumption or injection of arbitrary data into BSON queries [1]. In the best case, the attacker causes a low-severity DoS; in the worst case, they can perform BSON injection similar to SQL injection, potentially reading, modifying, or deleting data in MongoDB [2]. The impact depends on how the application uses the parsed BSON data after injection.

Mitigation

Upgrade to bson-ruby version 3.0.4 or later, which fixes the regular expression to use \A and \Z anchors [2]. As of the last available information, no workaround was published for versions before 3.0.4. This vulnerability is not listed on the CISA KEV as of the current date. The fix was released on 2015-06-08 per the gem changelog.

References
  1. NVD - CVE-2015-4412
  2. Mongo BSON Injection: Ruby Regexps Strike Again

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bsonRubyGems
< 1.12.31.12.3
bsonRubyGems
>= 2.0, < 3.0.43.0.4

Affected products

1

Patches

1
976da329ff03

Use \A \z for checking regex on legal

https://github.com/mongodb/bson-rubyDurran JordanJun 4, 2015via ghsa
commit
1 file changed · +1 1
  • lib/bson/object_id.rb+1 1 modified
    @@ -282,7 +282,7 @@ def from_time(time, options = {})
       #
       # @since 2.0.0
       def legal?(string)
-        string.to_s =~ /^[0-9a-f]{24}$/i ? true : false
+        string.to_s =~ /\A[0-9a-f]{24}\z/i ? true : false
       end
 
       # Executes the provided block only if the size of the provided object is

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.