Description
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Remediation
References
https://snyk.io/vuln/SNYK-JS-BSON-561052
Related Vulnerabilities
CVE-2023-34234 Vulnerability in npm package @openzeppelin/contracts
CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2017-7561 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs
CVE-2013-4310 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2014-0230 Vulnerability in maven package org.apache.tomcat:tomcat-catalina