Miggo Logo
Miggo Vulnerability Database
CVE-2019-19729

CVE-2019-19729:
bson-objectid contains Improper input validation

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-19729
GHSA ID
GHSA-p84x-5xx8-hff9
EPSS Score
0.45518%
CWE
CWE-20
Published
5/24/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
bson-objectidnpm<= 1.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the ObjectID constructor's control flow that prioritizes checking for '_bsontype' property over proper input validation. When user input contains '_bsontype: "ObjectID"', the function returns the input without performing full validation (CWE-670). This allows attackers to inject arbitrary properties (CWE-20). The constructor is the primary entry point for object creation, making it the clear vulnerable function based on the advisory's description of the early return mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *SON O*j**tI* (*k* *son-o*j**ti*) p**k*** *.*.* *or No**.js. O*j**tI*() *llows *n *tt**k*r to **n*r*t* * m*l*orm** o*j**ti* *y ins*rtin* *n ***ition*l prop*rty to t** us*r-input, ****us* *son-o*j**ti* will r*turn **rly

Reasoning

T** vuln*r**ility st*ms *rom t** O*j**tI* *onstru*tor's *ontrol *low t**t prioritiz*s ****kin* *or '_*sontyp*' prop*rty ov*r prop*r input v*li**tion. W**n us*r input *ont*ins '_*sontyp*: "O*j**tI*"', t** *un*tion r*turns t** input wit*out p*r*ormin*