Advisories for Npm/Mongodb package

2023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue …

2020

Denial of Service in mongodb

Versions of mongodb are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Upgrade to or later.