You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched existing issues to ensure the performance issue has not already been reported
Last performant version
8.7.0
Slowed down in version
8.7.0
Node.js version
20.17.0
🦥 Performance issue
When using the findOne() method, passing it a query value of undefined, like such: User.findOne(undefined)
the response is the first document in the User collection.
This is unique to Mongoose, and different than db.collection.findOne(undefined) in regular MongoDB, which returns null in such a case.
The problem: privacy issues. A hacker can pass 'undefined' and retrieve first user in the database which may have sensitive information.
Steps to Reproduce
Create a User collection in a mongoDB database.
add a users to the database with some fields (username, password, etc.)
in your server's controller, run a Mongoose method getUser:export const getUser = async (req: Request, res: Response) => { try { const user = await User.findOne(undefined); **console.log(user);** res.status(200).json(user); } catch (error) { res.status(500).json({ message: "Error fetching user", error }); } };
Expected Behavior
Notice what the console logs as "user" to be the first user in your database, (and not null)
The text was updated successfully, but these errors were encountered:
Prerequisites
Last performant version
8.7.0
Slowed down in version
8.7.0
Node.js version
20.17.0
🦥 Performance issue
When using the findOne() method, passing it a query value of undefined, like such:
User.findOne(undefined)
the response is the first document in the
User
collection.This is unique to Mongoose, and different than
db.collection.findOne(undefined)
in regular MongoDB, which returnsnull
in such a case.The problem: privacy issues. A hacker can pass 'undefined' and retrieve first user in the database which may have sensitive information.
Steps to Reproduce
getUser
:export const getUser = async (req: Request, res: Response) => { try { const user = await User.findOne(undefined); **console.log(user);** res.status(200).json(user); } catch (error) { res.status(500).json({ message: "Error fetching user", error }); } };
Expected Behavior
Notice what the console logs as "user" to be the first user in your database, (and not
null
)The text was updated successfully, but these errors were encountered: