Skip to content

NoSQL Injection in loopback-connector-mongodb

High severity GitHub Reviewed Published Sep 2, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm loopback-connector-mongodb (npm)

Affected versions

<= 3.5.0

Patched versions

3.6.0

Description

Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak.

Recommendation

Upgrade to version 3.6.0 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 2, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-hxwc-5vw9-2w4w

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.