MongoDB.live, free & fully virtual. June 9th - 10th. Register Now MongoDB.live, free & fully virtual. June 9th - 10th. Register Now

Security of session tokens: a [$gt] injection vulnerability

The way Mongo adapters normally work is you pass something like {token: params.token} but in many languages it’s easy to pass {$gt: 1} or [$gt]=1 and bypass this protection.

Very recent example: https://github.com/advisories/GHSA-h4mf-75hf-67w4 and I’ve seen much more personally during security audits.

We managed to fixed it in sequelize (https://github.com/sequelize/sequelize/issues/7310), but I believe it’s better to fix it once and for all in main mongo adapters.

Solution: change the format of keys to something that cannot be crafted from JSON user input, e.g. sequelize now uses [Op.gt]: 1