CVE-2018-13863

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

References

Affected packages

Debian:11 / node-mongodb

Package

Name: node-mongodb
Purl: pkg:deb/debian/node-mongodb?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.10+~3.1.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-mongodb

Package

Name: node-mongodb
Purl: pkg:deb/debian/node-mongodb?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.10+~3.1.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/mongodb/js-bson

Affected ranges

Type: GIT
Repo: https://github.com/mongodb/js-bson
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bd61c45157c53a1698ff23770160cf4783e9ea4a

Fixed

bd61c45157c53a1698ff23770160cf4783e9ea4a

Affected versions

V0.*

V0.0.5

V0.0.6

V0.0.8

V0.0.9

V0.1.0

V0.1.2

V0.1.4

V0.1.9

V0.2.0

V0.2.1

V0.2.10

V0.2.11

V0.2.13

V0.2.14

V0.2.15

V0.2.16

V0.2.17

V0.2.18

V0.2.19

V0.2.2

V0.2.20

V0.2.21

V0.2.3

V0.2.5

V0.2.6

V0.2.8

V0.2.9

V0.3.0

V0.3.1

V0.3.2

V0.4.0

V0.4.1

V0.4.10

V0.4.11

V0.4.12

V0.4.13

V0.4.14

V0.4.15

V0.4.16

V0.4.17

V0.4.18

V0.4.19

V0.4.2

V0.4.20

V0.4.21

V0.4.22

V0.4.23

V0.4.3

V0.4.4

V0.4.5

V0.4.6

V0.4.7

V0.4.8

V0.4.9

V0.5.0

V0.5.1

V0.5.2

V0.5.3

V0.5.4

V0.5.5

V0.5.6

V0.5.7

V1.*

V1.0.0

V1.0.1

V1.0.2

V1.0.3

V1.0.4