CVE-2019-19729

Vulnerability

Overview

The bson-objectid package version 1.3.0 for Node.js contains a flaw in its ObjectID() constructor. The constructor attempts to accept user-provided objects and check if they are already valid ObjectID instances. However, the check is insufficient: it only verifies that the input object has a _bsontype property equal to "ObjectID" [1], [3]. This allows an attacker to craft a JavaScript object that sets _bsontype to "ObjectID" while including arbitrary additional properties, causing the constructor to return early and treat the entire object as a valid ObjectID.

Exploitation

Conditions

An attacker can exploit this by providing user-controlled input that is passed to the ObjectID() function. The attacker simply includes a property named _bsontype with the string value "ObjectID" in the input object [1], [3]. Unlike the official MongoDB BSON library, which additionally verifies that the input's constructor is ObjectID, the vulnerable package does not enforce this stricter check [3]. No authentication or special network position is required—any service that uses bson-objectid to parse user-supplied data (e.g., from JSON payloads) is susceptible.

Impact

Successful exploitation results in the generation of a malformed ObjectID [1]. This malformed ObjectID may bypass downstream validation and formatting logic that expects a legitimate, well-formed ObjectID. For example, ObjectID.isValid() would incorrectly return true for such a malformed object [3]. This could lead to application-level issues such as database injection, data corruption, or logic errors in systems that rely on the integrity of ObjectIDs.

Mitigation

Status

The issue was fixed in later versions of the package. Users should upgrade to a patched version (e.g., 2.x releases) to remediate the vulnerability. As of the publication date, no workaround exists for version 1.3.0 other than upgrading or manually validating input before passing it to ObjectID() [2], [3].