# LDAP Injection

- ID: javascript-ldap-injection
- Severity: HIGH
- CWE: LDAP Injection (CWE-90)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects user input flowing to LDAP queries without escaping special characters.

## Detection Message

User-controlled input from {source} flows to LDAP query at {sink} without sanitization.

## Remediation

Escape LDAP special characters before including user input in queries.

```javascript
const safe = input.replace(/[\\*()]/g, c =>
  '\\' + c.charCodeAt(0).toString(16));
ldap.search(`cn=${safe},dc=example,dc=com`, opts);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection

## Documentation

[object Object]

## Related Rules

- **LDAP Injection** [HIGH]: 
- **LDAP Injection** [HIGH]: