Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

Affected Packages

Go go.mongodb.org/mongo-driver

Affected versions: 0 (fixed in 1.5.1)

Related CVEs

CVE-2021-20329

Key Information

GHSA ID

GHSA-f6mq-5m25-4r72

Published

June 15, 2021 4:08 PM

Last Modified

September 17, 2024 3:38 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

go.mongodb.org/mongo-driver

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.