Name of the Vulnerable Software and Affected Versions loopback-connector-mongodb versions prior to 3.6.0

Description The issue arises from the MongoDB Connector for LoopBack failing to properly sanitize a filter passed to query the database, allowing the dangerous $where property to be passed to the MongoDB Driver. This enables the execution of JavaScript on the database Driver, which can be exploited by passing a malicious script. The $where property is a feature of MongoDB that allows server-side JavaScript execution unless explicitly disabled.

Recommendations Update to version 3.6.0 or later. As a temporary workaround, consider disabling the $where property in the MongoDB Driver to prevent server-side JavaScript execution. Restrict access to the MongoDB Connector for LoopBack to minimize the risk of exploitation. Avoid using the where filter with the $where property in API endpoints until the issue is resolved.