nodejs-bson before version 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDos) in decimal128.js. Upstream Commit: https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a Additional References: https://snyk.io/vuln/npm:bson:20180225
Created nodejs-bson tracking bugs for this issue: Affects: fedora-all [bug 1550774] Affects: epel-all [bug 1550773]
The support for the Decimal128 data type was only introduce in bson module version 0.5.0. The problematic regular expression was introduced via the following commit: https://github.com/mongodb/js-bson/commit/e14b4d081a2704b86b8c3407382e107f23ad0da6 Note that the nodejs-bson packages in Fedora and Fedora EPEL are based upstream versions prior to 0.5.0 (0.4.23 in Fedora, and 0.2.x in EPEL), they were not affected by this flaw.
Note that this flaw is not triggered when deserializing data from the BSON format. It is only triggered when preparing objects for serialization to BSON if those objects need to contain fields with decimal128 type, and the value is constructed using Decimal128.fromString() from a long untrusted string.