GuardAPI Logo
GuardAPI

Fix NoSQL Injection in Feathers

FeathersJS services are highly susceptible to NoSQL Injection because their query syntax (standard across many adapters like MongoDB and NeDB) maps directly to database operators. Without strict input validation, an attacker can inject operators like $ne (not equal), $gt (greater than), or $regex to bypass authentication, leak sensitive records, or perform DoS attacks.

The Vulnerable Pattern

// Vulnerable Service Hook
// This allows any query parameter from the client to reach the database adapter
app.service('users').hooks({
  before: {
    find: [ 
      async (context) => {
        // Directly passing context.params.query without filtering
        // Attacker sends: /users?email[$ne]=null&password[$gt]=
        return context;
      }
    ]
  }
});

The Secure Implementation

The exploit occurs when the service adapter interprets keys starting with '$' as query operators rather than literal values. To mitigate this, you must adopt a 'Deny by Default' strategy. Using @feathersjs/schema with TypeBox allows you to define exactly which fields are queryable. By setting 'additionalProperties: false', any key not explicitly defined—including malicious operators like $ne, $regex, or $where—is automatically stripped from the query object before it ever hits the database layer.

// Secure Implementation using Feathers Schema & Validation
const { schema } = require('@feathersjs/schema');
const { Type } = require('@feathersjs/typebox');

// 1. Define a strict query schema
const userQuerySchema = Type.Object({
email: Type.Optional(Type.String({ format: ‘email’ })),
id: Type.Optional(Type.String())
}, { additionalProperties: false }); // Disallows all $operators


// 2. Apply the validation hook
app.service(‘users’).hooks({
before: {
find: [
schema.validateQuery(userQuerySchema),
async (context) => {
// Only validated ‘email’ and ‘id’ are now in context.params.query
return context;
}
]
}
});

System Alert • ID: 2508
Target: Feathers API
Potential Vulnerability

Your Feathers API might be exposed to NoSQL Injection

74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X