Regular Expression Denial of Service Vulnerability in MongoDB bson JavaScript Module
CVE-2018-13863

7.5HIGH

Key Information:

Vendor: Mongodb
Status: Js-bson
Vendor: CVE Published:; 10 July 2018

Summary

The MongoDB bson JavaScript module, specifically within versions 0.5.0 to 1.0.x before 1.0.5, is susceptible to a Regular Expression Denial of Service (ReDoS) attack. This vulnerability is triggered when the Decimal128.fromString() function processes long untrusted strings, leading to potential denial of service conditions. The flaw stems from insufficient validation of the input, allowing attackers to craft specific input strings that can significantly degrade system performance and availability.

References

https://github.com/mongodb/js-bson/commit/bd61c45157c53a1...

x_refsource_MISC

https://snyk.io/vuln/npm:bson:20180225

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jul 10, 2018