MongoDB version 2.0.9 represents a minor update to the MongoDB Node.js driver, building upon the foundation established by version 2.0.8. The core difference lies primarily in the dependency updates. Version 2.0.9 upgrades the core driver component, mongodb-core, from version 1.1.2 to 1.1.3. This seemingly incremental change likely incorporates bug fixes, performance improvements, and potentially new features within the core MongoDB interaction layer.
For developers, this means a potentially more stable and efficient MongoDB experience. While the high-level API remains consistent, leveraging the underlying improvements in mongodb-core can lead to tangible benefits in application responsiveness and reliability. Both versions share the same legacy driver emulation philosophy, offering a familiar interface for those accustomed to older MongoDB driver versions.
The development dependencies remain largely the same, with the exception of the removal of gleak in the newer version. The removal of the gleak dev dependency might signal improvements in memory leak detection or the adoption of alternative memory analysis tools. Developers should note the readable-stream dependency remains at 1.0.31 across both versions, suggesting stability in this specific streaming component. Choosing between 2.0.8 and 2.0.9 largely depends on the user's concern for the changes brought by mongodb-core. As always, it's advisable to review the changelog for mongodb-core version 1.1.3 to understand the specific modifications and assess their impact on existing applications before upgrading.
All the vulnerabilities related to the version 2.0.9 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
DLL Injection in kerberos
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.
Upgrade to version 1.0.0 or later.
