CVE-2019-19729

Name of the Vulnerable Software and Affected Versions bson-objectid package version 1.3.0

Description An issue in the bson-objectid package allows an attacker to generate a malformed objectid by inserting an additional property to the user-input. This occurs because bson-objectid returns early if it detects bsontype==ObjectID in the user-input object, enabling objects in arbitrary forms to bypass formatting if they have a valid bsontype.

Recommendations For bson-objectid package version 1.3.0, consider restricting the input to the ObjectID() function to prevent the insertion of additional properties, until a patch is available. As a temporary workaround, validate user-input objects to ensure they do not contain a valid bsontype that could bypass formatting. At the moment, there is no information about a newer version that contains a fix for this vulnerability.