MongoDB Node.js driver version 2.2.5 arrived on July 28, 2016, succeeding version 2.2.4, released nine days earlier on July 19, 2016. Both versions share the same core dependencies like es6-promise (3.0.2) and readable-stream (1.0.31), which are vital for asynchronous operations and handling data streams efficiently. The key difference lies in the mongodb-core dependency, updated from version 2.0.6 in 2.2.4 to version 2.0.7 in 2.2.5. This seemingly minor version bump in mongodb-core, the engine powering the MongoDB driver, likely includes essential bug fixes and performance improvements, making 2.2.5 a recommended upgrade to ensure stable and optimized connectivity to MongoDB databases.
Developers should note that both versions leverage a suite of development dependencies, including tools for testing (nyc, integra), code quality (gleak, jsdoc), and benchmarking (betterbenchmarks). These tools highlight the project's commitment to robust development practices. The inclusion of mongodb-extended-json allows for seamless handling of MongoDB's extended JSON format, simplifying data serialization and deserialization. The presence of mongodb-version-manager and mongodb-topology-manager also indicates the driver's capability to adapt to different MongoDB server versions and topologies. While the dependency differences between 2.2.4. and 2.2.5 appear minimal, the updated mongodb-core suggests a focus on stability and performance enhancements, making 2.2.5. a preferable choice for new and existing projects utilizing the MongoDB Node.js driver.
All the vulnerabilities related to the version 2.2.5 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
