图像
Dot. Manual
Security/Security Advisory
图像

MSA-2025-09-002

NoSQL Injection

Release Date: Sep 30, 2025
Last Updated: Sep 30, 2025
Severity: Critical
Status: Fixed
CVSS 3.1 Score: 9.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Overview

On 2025-09-29T06:23:00Z, we received a security report regarding a NoSQL injection vulnerability in the /api/device/template endpoint. This endpoint was originally intended to provide a set of server-side rendering capabilities. However, because it directly accepts and executes a MongoDB aggregation pipeline structure supplied by the client, an attacker can craft malicious requests to perform, among other things, reading sensitive data, writing/tampering with data, and triggering denial-of-service (DoS), resulting in high risk.

We have immediately enabled temporary mitigations and initiated a permanent remediation process. No evidence of widespread malicious exploitation has been found at this time.

Impact Scope

ItemDetails
Affected ProductDot Server-side API
Affected VersionCurrent production version of /api/device/template
Fixed VersionTo be announced (will be updated after permanent fix is released)
Affected Component/api/device/template
Attack VectorNetwork
Required PrivilegeLow (greater impact with a valid user token; possible abuse under weak validation in some scenarios)

Technical Description

  • Root Cause: The endpoint allows clients to directly control aggregation operators and structure, which are executed verbatim on the server, creating a NoSQL injection surface.

Remediation

To quickly reduce risk and fully eliminate the injection surface, we are proceeding in two phases (mitigation and permanent fix):

  • Immediate Actions:
    • Temporarily disable or gradually restrict high-risk operators in /api/device/template, enforce strict field whitelisting and rate limiting, and block suspicious aggregation stages.
    • Increase request auditing and alerting to identify suspicious sources and access frequency.
  • Permanent Fix:
    • Introduce server-side parameterization and a query builder so that only controlled aggregation stages are assembled on the server; disallow client-supplied operators or free-form structures.
    • Minimize returned data (field-level projection and masking) and enforce fine-grained authorization checks based on user and resource boundaries.
    • Conduct a comprehensive audit of similar historical endpoints to eliminate analogous risks.

Impact Assessment

  • No evidence of malicious exploitation: Logs show no abnormal bulk access or data exfiltration.

User Action

  • No user-side action is required at this time. We have enabled server-side interception and restriction strategies and will complete the permanent fix as soon as possible.

Acknowledgements

We sincerely thank Mason for reporting this issue through responsible disclosure and providing valuable verification assistance during the fix. This spirit of collaboration helps protect all users' data security.

Disclaimer: This advisory is compiled based on currently available information. We will continue to monitor related threat intelligence and will revise this advisory promptly in case of significant updates.
Document ID: MSA-2025-09-002
Classification: Public
Issued by: MindReset Security Team

Did this solve your problem?

Join our community

MSA-2025-09-001

IDOR vulnerability in NFC Tap

MSA-2025-10-001

Unauthorized STS issuance enabling arbitrary OSS uploads

MSA-2025-09-002 - Dot.