GHSA-v8w9-2789-6hhr

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-v8w9-2789-6hhr/GHSA-v8w9-2789-6hhr.json

Aliases

CVE-2020-7610

Published

2021-05-07T16:04:54Z

Modified

2023-03-30T22:46:24Z

Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-7610
https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8
https://snyk.io/vuln/SNYK-JS-BSON-561052

Affected packages

npm / bson

bson

Affected ranges

Type: SEMVER
Events: Introduced

0

Fixed

1.1.4

Affected versions

Ecosystem specific

{
    "affected_functions": [
        "bson.BSON.serialize"
    ]
}