MongoDB Node.js driver version 2.2.11, released on October 21, 2016, represents a minor update over its predecessor, version 2.2.10, released on September 15, 2016. Both versions share the same core dependencies like es6-promise for asynchronous operations and readable-stream for data handling, and mongodb-core. The key distinction lies in the updated mongodb-core dependency; version 2.2.11 utilizes mongodb-core version 2.0.13, while 2.2.10 relies on version 2.0.12.
This seemingly small change hints at underlying bug fixes, performance improvements, or new features within the core MongoDB driver. Developers considering upgrading from 2.2.10 to 2.2.11 should investigate the changelog for mongodb-core 2.0.13 to fully understand the implications. While both versions offer the same development dependencies for testing and development such as bson, bluebird, semver, and tools for benchmarking and code quality, the updated mongodb-core could potentially lead to enhanced stability or performance when interacting with MongoDB databases. Therefore, reviewing the core driver changes is crucial for making an informed decision about updating, ensuring compatibility within their specific application environment and leveraging any new functionalities. As both versions are quite old, staying updated to the latest major version is highly advisable for latest features and security fixes.
All the vulnerabilities related to the version 2.2.11 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
