TL;DR There’s a subtle bug in BSON-ruby implementation, leading in best case scenario to low-severity DoS, but most likely to critical BSON Injection (similar to SQL injection) - depends on gem versions you use. 3 years ago I wrote a blog post about broken regular expressions in Ruby, ^$ meaning new lines \n. Back then I was only able to demonstrate XSS on Github and other websites using “javascri