CVE-2020-7610

CRITICAL

Mongodb Bson < 1.1.4 - Insecure Deserialization

Title source: rule

Description

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

References (1)

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-BSON-561052

Scores

CVSS v3 9.8

EPSS 0.0054

EPSS Percentile 67.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

mongodb/bson < 1.1.4

npm/bson < 1.1.4npm

Timeline

Published Mar 30, 2020

Tracked Since Feb 18, 2026