GuardAPI Logo
GuardAPI

Fix NoSQL Injection in Vert.x

Vert.x applications using the MongoDB client are frequently vulnerable to NoSQL injection when developers blindly trust `JsonObject` construction. By injecting operators like `$gt`, `$ne`, or `$regex` through API parameters, an attacker can bypass authentication or exfiltrate the entire database. If your input isn't strictly typed and sanitized before being passed to the driver, your data layer is wide open.

The Vulnerable Pattern

public void login(RoutingContext rc) {
    // Attacker sends: ?password={"$ne":"wrong"}
    String user = rc.request().getParam("username");
    String pass = rc.request().getParam("password");

JsonObject query = new JsonObject()
    .put("username", user)
    .put("password", pass);

mongoClient.findOne("users", query, null, res -> {
    if (res.succeeded() && res.result() != null) {
        rc.response().setStatusCode(200).end("Authenticated");
    } else {
        rc.response().setStatusCode(401).end();
    }
});


}

The Secure Implementation

The vulnerability stems from `JsonObject.put()` accepting `Object` values. When Vert.x parses a request, an attacker can supply a JSON object instead of a string. If the driver receives `{"password": {"$ne": ""}}`, the query logic is altered to 'password not equal to empty', effectively bypassing credential checks. To fix this: 1) Implement strict type checking to ensure inputs are literal strings. 2) Use the explicit `$eq` operator in your queries. This forces the MongoDB engine to treat the input as a value to match against, rather than a command to execute. 3) Sanitize input keys to strip any leading `$` characters which are reserved for MongoDB operators.

public void login(RoutingContext rc) {
    String user = rc.request().getParam("username");
    String pass = rc.request().getParam("password");

// 1. Strict Type Validation: Ensure input is a primitive string
if (!(user instanceof String) || !(pass instanceof String)) {
    rc.response().setStatusCode(400).end("Invalid Input Type");
    return;
}

// 2. Use explicit $eq operator to prevent operator injection
JsonObject query = new JsonObject()
    .put("username", new JsonObject().put("$eq", user))
    .put("password", new JsonObject().put("$eq", pass));

mongoClient.findOne("users", query, null, res -> {
    if (res.succeeded() && res.result() != null) {
        rc.response().setStatusCode(200).end("Authenticated");
    } else {
        rc.response().setStatusCode(401).end();
    }
});


}

System Alert • ID: 1769
Target: Vert.x API
Potential Vulnerability

Your Vert.x API might be exposed to NoSQL Injection

74% of Vert.x apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X