Fix NoSQL Injection in Nuxt

NoSQL injection in Nuxt/Nitro environments occurs when untrusted user input is directly merged into database query objects. Attackers exploit this by sending objects instead of strings—such as `{$ne: null}`—allowing them to bypass authentication logic or exfiltrate sensitive data. If you are using Mongoose or the MongoDB driver in your server routes without strict type enforcement, your application is vulnerable to operator injection.

The Vulnerable Pattern

export default defineEventHandler(async (event) => {
  const body = await readBody(event);
  // VULNERABLE: If body.password is { "$ne": "" }, the check is bypassed
  const user = await db.collection('users').findOne({
    username: body.username,
    password: body.password
  });
  return user;
});

The Secure Implementation

The vulnerability exists because MongoDB drivers interpret nested objects as query operators. An attacker can replace a string value with an object like `{"$gt": ""}`, changing the logic from an equality check to a range query. To fix this, you must implement strict schema validation using a library like Zod to ensure that the input is a primitive string and not a nested object. Furthermore, explicitly casting values to `String()` at the query level provides a secondary layer of defense by neutralizing any potential object-based operator injection.

import { z } from 'zod';
const LoginSchema = z.object({
username: z.string(),
password: z.string()
});
export default defineEventHandler(async (event) => {
const body = await readBody(event);
const result = LoginSchema.safeParse(body);
if (!result.success) {
throw createError({ statusCode: 400, statusMessage: ‘Invalid Input’ });
}
const { username, password } = result.data;
const user = await db.collection(‘users’).findOne({
username: String(username),
password: String(password)
});
return user;
});