GHSA-v8w9-2789-6hhr

Source
https://github.com/advisories/GHSA-v8w9-2789-6hhr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-v8w9-2789-6hhr/GHSA-v8w9-2789-6hhr.json
Aliases
Published
2021-05-07T16:04:54Z
Modified
2023-11-08T04:04:00.368373Z
Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.

References

Affected packages

npm / bson

Package

Name
bson

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.1.4

Ecosystem specific

{
    "affected_functions": [
        "(bson).BSON.serialize"
    ]
}