CVE-2025-61301
📋 TL;DR
This vulnerability in CAPEv2 allows attackers who can submit samples to cause denial-of-analysis by generating deeply nested or oversized behavior data that triggers MongoDB BSON limits or orjson recursion errors. This results in incomplete or missing behavioral analysis reports. Systems running vulnerable versions of CAPEv2 with the affected reporting modules are impacted.
💻 Affected Systems
- CAPEv2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of malware analysis capabilities, preventing security teams from obtaining behavioral reports on submitted samples, potentially allowing malicious samples to go undetected.
Likely Case
Intermittent analysis failures for specific samples, causing gaps in security monitoring and requiring manual investigation of failed analyses.
If Mitigated
Limited impact with proper input validation and monitoring, where failed analyses are logged and alerts are generated for investigation.
🎯 Exploit Status
Exploitation requires ability to submit samples to CAPEv2. The vulnerability is documented with proof-of-concept available in the GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check for commits after 52e4b43 (2025-05-17)
Vendor Advisory: https://github.com/kevoreilly/CAPEv2
Restart Required: Yes
Instructions:
1. Update CAPEv2 to the latest version from the official repository. 2. Check for fixes in reporting/mongodb.py and reporting/jsondump.py. 3. Restart CAPEv2 services to apply changes.
🔧 Temporary Workarounds
Implement input validation
allAdd validation to limit nesting depth and size of behavior data before processing
# Modify reporting modules to add validation logic
# Example: Add depth and size checks before MongoDB/orjson operations
Configure MongoDB limits
linuxAdjust MongoDB BSON document size limits and validation rules
mongod --setParameter maxBSONDepth=100
mongod --setParameter maxBSONObjectSize=16777216
🧯 If You Can't Patch
- Restrict sample submission to trusted sources only
- Monitor for analysis failures and implement alerting for repeated failures
🔍 How to Verify
Check if Vulnerable:
Check if your CAPEv2 version includes commit 52e4b43 or earlier by examining the git history or version files.Check Version:
git log --oneline -1Verify Fix Applied:
Verify that reporting/mongodb.py and reporting/jsondump.py have been updated with proper input validation and error handling for nested/oversized data.📡 Detection & Monitoring
Log Indicators:
- MongoDB BSON size limit errors
- orjson recursion depth errors
- Analysis report generation failures
- Unexpected termination of reporting processes
Network Indicators:
- Increased failed analysis submissions
- Unusual patterns in sample submission rates
SIEM Query:
source="capev2.log" AND ("BSON" OR "orjson" OR "recursion" OR "depth limit") AND error