Overview

    Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

    MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

    A proof of concept malicious query:

    GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}
    

    The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.

    Remediation

    Update to version 3.6.0 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. access

      Advisory made public
      Aug 30th, 2018
    2. published

      Advisory published on loopback.io
      Aug 30th, 2018
    3. reported

      Initial report by NelsonBrandao
      Aug 30th, 2018