MongoDB vendored the S2 library in 2012 from an unversioned tarball, creating our own fork of the library. The library was made open source at google/s2geometry in 2015, and the first formally-versioned release was made in 2019. The earliest release of S2 was published with no known security vulnerabilities, and the same has applied to all subsequent releases.

This ticket will track the efforts to investigate if there were any vulnerabilities to the library that may have been fixed prior to the earliest release, but not applied to our fork, with the goal of confirming our confidence that our version of the S2 library is secure. We'll review the public commits made between 2015 and 2019, and attempt to contact the S2 maintainers for more information.