Login Sign Up

CVE-2019-2391

4.2 MEDIUM
Deserialization

📋 TL;DR

A vulnerability in MongoDB's js-bson library versions 1.1.3 and earlier allows incorrect parsing of certain JSON inputs, leading to improper BSON serialization. This can cause unexpected application behavior including potential data disclosure. Applications using the affected js-bson library for MongoDB operations in Node.js environments are impacted.

💻 Affected Systems

Products:
  • MongoDB js-bson library
Versions: 1.1.3 and earlier
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the js-bson library directly, not MongoDB server itself. Node.js applications using MongoDB drivers may be affected.

📦 What is this software?

Js Bson by Mongodb

View all CVEs affecting Js Bson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Data disclosure through malformed JSON causing BSON serialization errors that expose sensitive information in application responses or logs.

🟠

Likely Case

Application crashes or unexpected behavior when processing specific JSON inputs, potentially leading to denial of service or data corruption.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place, though underlying vulnerability remains.

🌐 Internet-Facing: MEDIUM - Applications accepting JSON input from untrusted sources could be exploited, but requires specific malformed input.
🏢 Internal Only: LOW - Internal applications with controlled input sources have reduced exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending specifically crafted JSON to applications using the vulnerable library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.4

Vendor Advisory: https://github.com/mongodb/js-bson/releases/tag/v1.1.4

Restart Required: Yes

Instructions:

1. Update package.json to specify js-bson version 1.1.4 or later. 2. Run 'npm update js-bson' or 'yarn upgrade js-bson'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input Validation

all

Implement strict JSON input validation and sanitization before passing to js-bson functions.

Error Handling

all

Wrap js-bson calls in try-catch blocks to prevent crashes from malformed input.

🧯 If You Can't Patch

  • Implement network segmentation to isolate affected applications
  • Deploy web application firewall (WAF) with JSON parsing protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list js-bson' to see if version is 1.1.3 or earlier.

Check Version:

npm list js-bson | grep js-bson

Verify Fix Applied:

Confirm js-bson version is 1.1.4 or later using 'npm list js-bson' and test with known problematic JSON inputs.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or errors related to BSON serialization
  • Unexpected JSON parsing errors in application logs

Network Indicators:

  • Unusual JSON payloads sent to application endpoints
  • Increased error responses from JSON processing endpoints

SIEM Query:

source="application.log" AND ("BSON" OR "serialization") AND error

📊 Metadata

CVE ID: CVE-2019-2391
CVSS v3 Score: 4.2 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-502
Published: March 31, 2020
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-2391, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)