Part 1.3 of NODE-7598

What: A deeply nested acyclic plain-object document ({a:{a:{...{leaf:1}}}}) drives unbounded recursion in serialization until V8 throws RangeError: Maximum call stack size exceeded. The existing circular-reference guard does not catch this because each level is a fresh object.

Root cause: serializeObject → serializeInto in src/parser/serializer.ts threads a depth argument but never compares it against a limit. There is no BSON_MAX_NESTING_DEPTH enforcement, unlike the MongoDB server's own document nesting cap.

Conditions required: an application must serialize request-derived documents (e.g. a JSON request body) with BSON.serialize / serializeWithBufferAndIndex without its own depth guard first. This is the most realistic of the three: standard JSON body parsers enforce size but not depth, so a small (~1 KB) but deeply nested payload reaches the encoder. Practical impact still depends on the app's error handling — a caught RangeError degrades to a failed request rather than a process kill in most setups.

Pinned ref: 5b42c5a1535d45ec89ab9f1ed3bb249d09730e3c

Details & PoC: int-mongodb-js-bson-serialize-depth-dos/README.md and int-mongodb-js-bson-serialize-depth-dos/poc/ (run bash poc/run.sh).

Suggested fix: Introduce a BSON_MAX_NESTING_DEPTH limit (the server uses 100) checked in the serialize/size paths.