Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak.

Recommendation

Upgrade to version 3.6.0 or later.

References

• https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html
• https://www.npmjs.com/advisories/767
• https://github.com/loopbackio/loopback-connector-mongodb