Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

A proof of concept malicious query:

GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}

The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.


Update to version 3.6.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. access

    Advisory made public
    Aug 30th, 2018
  2. published

    Advisory published on loopback.io
    Aug 30th, 2018
  3. reported

    Initial report by NelsonBrandao
    Aug 30th, 2018