In most case you probably need to open the issue for MongoDB Driver. But if you are sure, that this project is vulnerable, then feel free to go to Security page and report.