All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
External References: https://snyk.io/vuln/SNYK-JS-BSON-561052
This report from snyk.io concerns nodejs/npm's implementation of bson (vertx and fuse both use mongodb's java impl, so it's notaffected). manifests suggest that while fedora ships the nodejs impl of bson, the version they ship is older than the affected version. @mkaplan: should this have had a task associated with it?
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7610
@chazlett: yes, it should.