Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

Affected Packages

PyPI pymongo

Affected versions: 0 (fixed in 4.6.3)

Related CVEs

CVE-2024-5629

Key Information

GHSA ID

GHSA-m87m-mmvp-v9qm

Published

June 5, 2024 3:30 PM

Last Modified

June 18, 2024 7:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

pymongo

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.