ISSUE DESCRIPTION AND IMPACT

The bson@6.4.0 library introduced a regression when the useBigInt64 option is enabled (it’s disabled by default), that can result in negative Int64 values being parsed as large positive values (greater than 9,223,372,036,854,775,807).

If you explicitly enable the useBigInt64 option, the following libraries that include the impacted bson library could be affected:

• MongoDB Node.js driver 6.0.0 - 6.13.0
• Mongoose 8.3.5 - 8.10.1

// examples showing impacted operations via the Node.js driver

const client = new MongoClient('.../?useBigInt64=true');
const client = new MongoClient('...', { useBigInt64: true });
const collection = client.db('db', { useBigInt64: true }).collection('test');
const collection = client.db('db').collection('test', { useBigInt64: true });
const document = await collection.findOne({ _id }, { useBigInt64: true });

// example using BSON library directly

const bigint = -1n;
const bytes = BSON.serialize({ bigint });
const document = BSON.deserialize(bytes, { useBigInt64: true });

DIAGNOSIS AND AFFECTED VERSIONS

All versions of the bson library between 6.4.0 - 6.10.2 contain the bug, and as a result, every Node.js driver release between 6.0.0 - 6.13.0 could be impacted.

The following MUST be true for the bug to potentially affect an application:

• A version of the affected bson library is used (either directly, or as a dependency of another library such as the Node.js driver)
• The useBigInt64 option must be enabled (default is disabled)
• A negative BSON Int64 value is deserialized via the bson library, which will deserialize it as a positive value greater than 9,223,372,036,854,775,807 (0x7fffffffffffffff)

REMEDIATION AND WORKAROUNDS

Patches for all affected versions of the bson library have been released:

• 6.4.1
• 6.5.1
• 6.6.1
• 6.7.1
• 6.8.1
• 6.9.1
• 6.10.3

If you’re using a caret or tilde pinning strategy in your package.json - which most libraries would use out of the box - the following should allow you to update your bson dependency and verify the update was successful:

# update the bson library in the current project
$ npm update bson

# verify that the bson library has been updated for the current project
$ npm list bson
my_package@1.0.0
└─┬ mongodb@6.14.1
└── bson@6.10.3

If you’ve manually pinned bson to a specific version, please update your package.json to ensure one of the patched versions is specified, or a version greater than 6.10.2.

This issue can only impact workloads that have explicitly enabled the useBigInt64 option:

const client = new MongoClient('.../?useBigInt64=true');
const client = new MongoClient('...', { useBigInt64: true });
const collection = client.db('db', { useBigInt64: true }).collection('test');
const collection = client.db('db').collection('test', { useBigInt64: true });
const document = await collection.findOne({ _id }, { useBigInt64: true });

If this option has been enabled, there is no general solution as the impact depends on user code that relies upon the BigInt value to either make decisions (conditions) or calculate results (arithmetic). It may also depend on how the value may have been displayed or serialized to other formats (ex. stringified). Reversing the potential problem will relate directly to the use case.

OTHER AFFECTED TOOLS

• MongoDB Shell 2.2.0 - 2.3.9 (if scripts or operations via the REPL were executed with useBigInt64 and promoteLongs explicitly enabled)
• Compass 1.42.3-beta.4 - 1.45.3 (Embedded shell is impacted under the same conditions as the MongoDB Shell)
• VSCode Extension - 1.6.1 - 1.12.0 (Playgrounds are MongoDB Shell scripts and would be impacted under the same conditions as the MongoDB Shell)