MongoDB Node.js driver version 2.2.10 represents a minor update over the previous stable release, 2.2.9, offering subtle improvements and dependency adjustments for enhanced stability and performance. Both versions maintain the core functionality of providing seamless access to MongoDB databases from Node.js applications, boasting features such as connection pooling, query building, and schema validation. Key differences lie in the updated dependencies. Specifically, mongodb-core has been updated from version 2.0.11 to 2.0.12. Also bluebird was updated from version 3.4.1 to 3.4.6 and mongodb-extended-json was updated from 1.7.0 to 1.7.1, indicating potential bug fixes or enhancements in these underlying components. These updates might translate into improved connection handling, more efficient data serialization/deserialization, or refined data type support. Developers should consider upgrading to 2.2.10 to benefit from these improvements. The packages are licensed under Apache-2.0. The release of version 2.2.10 happened on 2016-09-15. Previous version was released 2016-08-29.
All the vulnerabilities related to the version 2.2.10 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
