# NoSQL Injection via MongoDB Queries

- ID: javascript-nosql-injection
- Severity: HIGH
- CWE: NoSQL Injection (CWE-943)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify

## Description

Detects user input flowing into NoSQL database queries without validation.

## Detection Message

Untrusted input from {source} reaches NoSQL query at {sink}.
This allows an attacker to manipulate database queries and potentially bypass authentication or access unauthorized data.

## Remediation

Validate input types and use mongo-sanitize to remove operators from user input.

```javascript
const sanitized = mongoSanitize(req.body.query);
const user = await User.findOne(sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-943/nosql-injection

## Documentation

[object Object]

## Related Rules

- **NoSQL Injection** [HIGH]: 
- **NoSQL Injection** [HIGH]: