I tested on our app (which uses BSON-ruby 1.9.2) and was surprised to find that the detection code indicated it was not vulnerable. Turned out it was because we also use bson_ext — bson_ext replaces the vulnerable method with a C implementation which doesn't use regexes.

Kinda funny to see a "safe" language saved by C. Just sayin'

Oh, that's a good catch. I checked on JRuby, which doesn't use bson_ext.