Headline
CVE-2019-2391: Release v1.1.4 · mongodb/js-bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.
The MongoDB Node.js team is pleased to announce version 1.1.4 of the bson module!
This patch release resolves an issue with BSON serialization with invalid _bsontype, originally reported by @xiaofen9. MongoDB will be issuing a CVE for this vulnerability, and we recommend that all users pin their version of the bson module to 1.1.4 or higher.
Release Notes****Bug
- [NODE-2514] - BSON serialization ignores unknown _bsontype