CVE-2020-7610 – bson

Package

Manager: npm
Name: bson
Vulnerable Version: >=0 <1.1.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00699 pctl0.71099

Details

Deserialization of Untrusted Data in bson All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Metadata

Created: 2021-05-07T16:04:54Z
Modified: 2023-03-30T22:46:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-v8w9-2789-6hhr/GHSA-v8w9-2789-6hhr.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-v8w9-2789-6hhr
Finding: F096
Auto approve: 1