7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19729

GHSA ID

GHSA-p84x-5xx8-hff9

EPSS Score

0.45518%

CWE

CWE-20

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-19729

CVE-2019-19729: bson-objectid contains Improper input validation

An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-input object. As a result, objects in arbitrary forms can bypass formatting if they have a valid bsontype.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19729

GHSA ID

GHSA-p84x-5xx8-hff9

EPSS Score

0.45518%

CWE

CWE-20

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bson-objectid	npm	<= 1.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the ObjectID constructor's control flow that prioritizes checking for '_bsontype' property over proper input validation. When user input contains '_bsontype: "ObjectID"', the function returns the input without performing full validation (CWE-670). This allows attackers to inject arbitrary properties (CWE-20). The constructor is the primary entry point for object creation, making it the clear vulnerable function based on the advisory's description of the early return mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *SON O*j**tI* (*k* *son-o*j**ti*) p**k*** *.*.* *or No**.js. O*j**tI*() *llows *n *tt**k*r to **n*r*t* * m*l*orm** o*j**ti* *y ins*rtin* *n ***ition*l prop*rty to t** us*r-input, ****us* *son-o*j**ti* will r*turn **rly

Reasoning

T** vuln*r**ility st*ms *rom t** O*j**tI* *onstru*tor's *ontrol *low t**t prioritiz*s ****kin* *or '_*sontyp*' prop*rty ov*r prop*r input v*li**tion. W**n us*r input *ont*ins '_*sontyp*: "O*j**tI*"', t** *un*tion r*turns t** input wit*out p*r*ormin*

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-19729: bson-objectid contains Improper input validation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI