Is it secure?

[KOLANICH]

https://github.com/WebAssembly/design/blob/master/Security.md

Although attackers cannot perform direct code injection attacks, it is possible to hijack the control flow of a module using code reuse attacks against indirect calls.

[vgrichina]

Parser should be safe from buffer overruns as it's reads binary data from Uint8Buffer, which implements boundary checks:
https://github.com/AssemblyScript/assemblyscript/blob/master/std/assembly/internal/typedarray.ts#L50

However note that its would still result in crash (of WA guest), so depending on your app attacker can be doing denial of service attack by sending invalid BSON.

It's not a problem in case of smart contracts for https://github.com/nearprotocol/nearcore, cause they are expected to have short execution time and fail fast on errors.