Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

A proof of concept malicious query:

GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}

The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.


Update to version 3.6.0 or later.

Advisory timeline

  1. access

    Advisory made public
    Aug 30th, 2018
  2. published

    Advisory published on loopback.io
    Aug 30th, 2018
  3. reported

    Initial report by NelsonBrandao
    Aug 30th, 2018