All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
This report from snyk.io concerns nodejs/npm's implementation of bson (vertx and fuse both use mongodb's java impl, so it's notaffected). manifests suggest that while fedora ships the nodejs impl of bson, the version they ship is older than the affected version.
@mkaplan: should this have had a task associated with it?
Comment 3Product Security DevOps Team
2020-04-20 22:31:48 UTC