GMS-2020-717: NoSQL injection in express-cart

September 1, 2020 (updated September 24, 2021)

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection.

The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.

These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex operator is used to guess each character of the token from the start.

Recommendation

Update to version 1.1.8 or later.

References

github.com/advisories/GHSA-f5cv-xrv9-r8w7
github.com/nodejs/security-wg/blob/master/vuln/npm/472.json
hackerone.com/reports/397445
www.npmjs.com/advisories/724

Detect and mitigate GMS-2020-717 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →