MongoDB Node.js driver version 2.2.3 represents a minor update over the previous stable version 2.2.2, providing a targeted set of improvements and refinements for developers utilizing MongoDB in their Node.js applications. Released on July 19, 2016, just a few days after version 2.2.2, the key visible change lies in its updated dependency on the mongodb-core package, moving from version 2.0.5 to 2.0.6. This suggests that the update primarily addresses internal refinements or bug fixes within the core MongoDB driver logic, potentially enhancing performance, stability, or addressing specific edge cases encountered by users. While the public API remains largely consistent, developers should note this updated dependency, as it incorporates the underlying changes to the core driver behavior.
The development dependencies remain unchanged, indicating no alterations in the testing or build process between the two versions. This implies that the core focus was on refining existing functionalities rather than introducing significant new features necessitating changes to the development environment. Given the short turnaround between releases, it's reasonable to conclude that version 2.2.3 serves as a patch or refinement building upon the foundation of version 2.2.2. Developers already using 2.2.2 are encouraged to upgrade to version 2.2.3 to benefit from these subtle enhancements and potential bug fixes within the lower levels of the driver interaction with the MongoDB server. However, a comprehensive review and testing should still be considered by any developer when upgrading dependencies in a production environment.
All the vulnerabilities related to the version 2.2.3 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
