VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 18, 2025· Updated Jan 14, 2026

Bulk write with options may read invalid memory

CVE-2025-12119

Description

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A bug in the MongoDB C driver's bulk operation handling can read invalid memory when large options are passed cause reading of invalid memory.

Vulnerability

Overview

CVE-2025-2025-12119 is a vulnerability in the MongoDB C driver (libmongoc) where a mongoc_bulk_operation_t may read invalid memory if large options are passed. The root cause is an incorrect ownership transfer of a bson_t struct within an internal array. The mongoc_array_t type was used to store bson_t objects, but bson_t is not trivially relocatable relocatable, so using memcpy to copy` the struct does not correctly transfer ownership of its internal pointers [1].

Exploitation

An attacker who can provide large options to a bulk operation can trigger the invalid memory read. The vulnerability is in the handling of cmd_opts in mongoc_write_command_t, which was changed from a bson_t to a bson_t * to fix the ownership issue [1]. The attack requires the ability to send crafted bulk operations to a MongoDB instance using the vulnerable driver.

Impact

Successful exploitation could lead to reading of invalid memory, potentially causing a crash or information disclosure. The vulnerability is classified as a memory safety issue.

Mitigation

The fix was released in mongo-c-driver versions 1.30.6 [2] and 2.1.2 [3]. Users should upgrade to these versions or later. The commit also adds a regression test to prevent recurrence [1].

References
  1. Fix CVE-2025-12119 · mongodb/mongo-c-driver@775998d
  2. Release mongo-c-driver 1.30.6 · mongodb/mongo-c-driver
  3. Release mongo-c-driver 2.1.2 · mongodb/mongo-c-driver

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mongodb/mongodb-extensionPackagist
< 1.21.21.21.2

Affected products

2
  • MongoDB/C Driverv5
    Range: 1.9.0
  • MongoDB/PHP Driverv5
    Range: 0

Patches

2
775998df7c67

Fix CVE-2025-12119

https://github.com/mongodb/mongo-c-driverRoberto C. SánchezDec 18, 2025via ghsa
commit
3 files changed · +156 1
  • debian/changelog+2 1 modified
    @@ -1,6 +1,7 @@
 mongo-c-driver (1.30.4-1+deb13u1) UNRELEASED; urgency=medium
 
-  * 
+  * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if
+    large options are passed.
 
  -- Roberto C. Sanchez <roberto@connexer.com>  Thu, 18 Dec 2025 13:57:29 -0500
  • debian/patches/CVE-2025-12119.patch+153 0 added
    @@ -0,0 +1,153 @@
+From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson@mongodb.com>
+Date: Mon, 6 Oct 2025 11:38:22 -0400
+Subject: [PATCH] CDRIVER-6112 fix ownership transfer of
+ `mongoc_write_command_t` (#2132) (#2137)
+
+* add regression test
+* do not memcpy `bson_t` struct in array
+  * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`.
+* warn against using `bson_t` in `mongoc_array_t`
+---
+ .../src/mongoc/mongoc-array-private.h         |  3 +
+ .../src/mongoc/mongoc-write-command-private.h |  2 +-
+ .../src/mongoc/mongoc-write-command.c         |  8 +--
+ src/libmongoc/tests/test-mongoc-bulk.c        | 56 +++++++++++++++++++
+ 4 files changed, 64 insertions(+), 5 deletions(-)
+
+diff --git a/src/libmongoc/src/mongoc/mongoc-array-private.h b/src/libmongoc/src/mongoc/mongoc-array-private.h
+index 9956224b34..c8de6f1f52 100644
+--- a/src/libmongoc/src/mongoc/mongoc-array-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h
+@@ -25,6 +25,9 @@
+ BSON_BEGIN_DECLS
+ 
+ 
++// mongoc_array_t stores an array of objects of type T.
++//
++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113).
+ typedef struct _mongoc_array_t mongoc_array_t;
+ 
+ 
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command-private.h b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+index 85121594e0..c1bf751e01 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+@@ -61,7 +61,7 @@ typedef struct {
+    uint32_t n_documents;
+    mongoc_bulk_write_flags_t flags;
+    int64_t operation_id;
+-   bson_t cmd_opts;
++   bson_t *cmd_opts;
+ } mongoc_write_command_t;
+ 
+ 
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command.c b/src/libmongoc/src/mongoc/mongoc-write-command.c
+index a375d8f200..36f2470acb 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command.c
++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c
+@@ -143,9 +143,9 @@ _mongoc_write_command_init_bulk (
+    command->flags = flags;
+    command->operation_id = operation_id;
+    if (!bson_empty0 (opts)) {
+-      bson_copy_to (opts, &command->cmd_opts);
++      command->cmd_opts = bson_copy (opts);
+    } else {
+-      bson_init (&command->cmd_opts);
++      command->cmd_opts = bson_new ();
+    }
+ 
+    _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL);
+@@ -671,7 +671,7 @@ _mongoc_write_opmsg (mongoc_write_command_t *command,
+                                ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO
+                                : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES;
+ 
+-   BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++   BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+    if (!mongoc_cmd_parts_append_opts (&parts, &iter, error)) {
+       bson_destroy (&cmd);
+       mongoc_cmd_parts_cleanup (&parts);
+@@ -944,7 +944,7 @@ _mongoc_write_command_destroy (mongoc_write_command_t *command)
+    ENTRY;
+ 
+    if (command) {
+-      bson_destroy (&command->cmd_opts);
++      bson_destroy (command->cmd_opts);
+       _mongoc_buffer_destroy (&command->payload);
+    }
+ 
+diff --git a/src/libmongoc/tests/test-mongoc-bulk.c b/src/libmongoc/tests/test-mongoc-bulk.c
+index 357893ce1c..e4666c1db3 100644
+--- a/src/libmongoc/tests/test-mongoc-bulk.c
++++ b/src/libmongoc/tests/test-mongoc-bulk.c
+@@ -4768,6 +4768,55 @@ test_bulk_write_set_client_updates_operation_id_when_client_changes (void)
+    mock_server_destroy (mock_server);
+ }
+ 
++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112:
++static void
++test_bulk_big_let (void *unused)
++{
++   BSON_UNUSED (unused);
++
++   mongoc_client_t *client = test_framework_new_default_client ();
++   mongoc_collection_t *coll = get_test_collection (client, "test_big_let");
++   bson_error_t error;
++
++   // Create bulk operation similar to PHP driver:
++   mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */);
++
++   // Set a large `let`: { "testDocument": { "a": "aaa..." } }
++   {
++      bson_t let = BSON_INITIALIZER, testDocument;
++      bson_append_document_begin (&let, "testDocument", -1, &testDocument);
++
++      // Append big string:
++      {
++         size_t num_chars = 79;
++         char *big_string = bson_malloc0 (num_chars + 1);
++         memset (big_string, 'a', num_chars);
++         BSON_APPEND_UTF8 (&testDocument, "a", big_string);
++         bson_free (big_string);
++      }
++
++      bson_append_document_end (&let, &testDocument);
++      mongoc_bulk_operation_set_let (bulk, &let);
++      bson_destroy (&let);
++   }
++
++
++   mongoc_bulk_operation_set_client (bulk, client);
++   mongoc_bulk_operation_set_database (bulk, "db");
++   mongoc_bulk_operation_set_collection (bulk, "coll");
++
++   mongoc_bulk_operation_update (
++      bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true);
++
++
++   ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error);
++
++   mongoc_bulk_operation_destroy (bulk);
++   mongoc_collection_destroy (coll);
++   mongoc_client_destroy (client);
++}
++
++
+ void
+ test_bulk_install (TestSuite *suite)
+ {
+@@ -4946,4 +4995,11 @@ test_bulk_install (TestSuite *suite)
+    TestSuite_AddMockServerTest (suite,
+                                 "/BulkOperation/set_client_updates_operation_id_when_client_changes",
+                                 test_bulk_write_set_client_updates_operation_id_when_client_changes);
++   TestSuite_AddFull (
++      suite,
++      "/BulkOperation/big_let",
++      test_bulk_big_let,
++      NULL,
++      NULL,
++      test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */);
+ }
+-- 
+2.39.5
+
  • debian/patches/series+1 0 modified
    @@ -1 +1,2 @@
 0001_local_mathjax.diff
+CVE-2025-12119.patch
fa5b43366407

PHPC-2637: Update to libmongoc 1.30.6 (#1882)

https://github.com/mongodb/mongo-php-driverAndreas BraunOct 7, 2025via ghsa
commit
6 files changed · +16 16
  • config.m4+4 4 modified
    @@ -277,26 +277,26 @@ if test "$PHP_MONGODB" != "no"; then
   PHP_MONGODB_MONGOCRYPT_VERSION_STRING="None"
 
   if test "$PHP_MONGODB_SYSTEM_LIBS" != "no"; then
-    PKG_CHECK_MODULES([PHP_MONGODB_BSON], [libbson-1.0 >= 1.30.5], [
+    PKG_CHECK_MODULES([PHP_MONGODB_BSON], [libbson-1.0 >= 1.30.6], [
       PHP_MONGODB_BSON_VERSION=`$PKG_CONFIG libbson-1.0 --modversion`
       PHP_MONGODB_BSON_VERSION_STRING="System ($PHP_MONGODB_BSON_VERSION)"
 
       PHP_MONGODB_CFLAGS="$PHP_MONGODB_CFLAGS $PHP_MONGODB_BSON_CFLAGS"
       PHP_EVAL_LIBLINE($PHP_MONGODB_BSON_LIBS, MONGODB_SHARED_LIBADD)
       AC_DEFINE(HAVE_SYSTEM_LIBBSON, 1, [Use system libbson])
     ],[
-      AC_MSG_ERROR([Could not find system library for libbson >= 1.30.5])
+      AC_MSG_ERROR([Could not find system library for libbson >= 1.30.6])
     ])
 
-    PKG_CHECK_MODULES([PHP_MONGODB_MONGOC], [libmongoc-1.0 >= 1.30.5], [
+    PKG_CHECK_MODULES([PHP_MONGODB_MONGOC], [libmongoc-1.0 >= 1.30.6], [
       PHP_MONGODB_BSON_VERSION=`$PKG_CONFIG libbson-1.0 --modversion`
       PHP_MONGODB_BSON_VERSION_STRING="System ($PHP_MONGODB_BSON_VERSION)"
 
       PHP_MONGODB_CFLAGS="$PHP_MONGODB_CFLAGS $PHP_MONGODB_MONGOC_CFLAGS"
       PHP_EVAL_LIBLINE($PHP_MONGODB_MONGOC_LIBS, MONGODB_SHARED_LIBADD)
       AC_DEFINE(HAVE_SYSTEM_LIBMONGOC, 1, [Use system libmongoc])
     ],[
-      AC_MSG_ERROR(Could not find system library for libmongoc >= 1.30.5)
+      AC_MSG_ERROR(Could not find system library for libmongoc >= 1.30.6)
     ])
 
     if test "$PHP_MONGODB_CLIENT_SIDE_ENCRYPTION" != "no"; then
  • .evergreen/config/generated/build/build-libmongoc.yml+1 1 modified
    @@ -12,7 +12,7 @@ tasks:
       - func: "compile driver"
         vars:
           PHP_VERSION: "8.3"
-          LIBMONGOC_VERSION: "1.30.5"
+          LIBMONGOC_VERSION: "1.30.6"
       - func: "upload build"
 
   - name: "build-php-8.3-libmongoc-next-stable"
  • .evergreen/config/templates/build/build-libmongoc.yml+1 1 modified
    @@ -10,7 +10,7 @@
       - func: "compile driver"
         vars:
           PHP_VERSION: "%phpVersion%"
-          LIBMONGOC_VERSION: "1.30.5"
+          LIBMONGOC_VERSION: "1.30.6"
       - func: "upload build"
 
   - name: "build-php-%phpVersion%-libmongoc-next-stable"
  • sbom.json+8 8 modified
    @@ -19,34 +19,34 @@
       "version": "1.12.0"
     },
     {
-      "bom-ref": "pkg:github/mongodb/mongo-c-driver@1.30.5",
+      "bom-ref": "pkg:github/mongodb/mongo-c-driver@1.30.6",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/1.30.5.tar.gz"
+          "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/1.30.6.tar.gz"
         },
         {
           "type": "website",
-          "url": "https://github.com/mongodb/mongo-c-driver/tree/1.30.5"
+          "url": "https://github.com/mongodb/mongo-c-driver/tree/1.30.6"
         }
       ],
       "group": "mongodb",
       "name": "mongo-c-driver",
-      "purl": "pkg:github/mongodb/mongo-c-driver@1.30.5",
+      "purl": "pkg:github/mongodb/mongo-c-driver@1.30.6",
       "type": "library",
-      "version": "1.30.5"
+      "version": "1.30.6"
     }
   ],
   "dependencies": [
     {
       "ref": "pkg:github/mongodb/libmongocrypt@1.12.0"
     },
     {
-      "ref": "pkg:github/mongodb/mongo-c-driver@1.30.5"
+      "ref": "pkg:github/mongodb/mongo-c-driver@1.30.6"
     }
   ],
   "metadata": {
-    "timestamp": "2025-06-10T10:24:13.960044+00:00",
+    "timestamp": "2025-10-07T14:08:41.389820+00:00",
     "tools": [
       {
         "externalReferences": [
@@ -90,7 +90,7 @@
     ]
   },
   "serialNumber": "urn:uuid:acb30d08-ee47-4ff0-b301-d66ef1f54082",
-  "version": 12,
+  "version": 13,
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
  • src/libmongoc+1 1 modified
    @@ -1 +1 @@
-Subproject commit 252989c310f7a326230f66311630ba259e34e4b3
+Subproject commit 0106ff90b108bbf312db122fec7d263543028355
  • src/LIBMONGOC_VERSION_CURRENT+1 1 modified
    @@ -1 +1 @@
-1.30.5
+1.30.6

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.