Image
Dot. Manual
Image
Dot. Manual
Back to home

FAQ

How to Change NetworksCommon Pairing IssuesTap-to-Interact Launch Issues / App Clip Unavailable

Dot.

Install Dot. AppDiagnostic ToolKnown Issues

Quote

Quote/0
Pairing Quote/0How to TapShare with Family and FriendsHow to Charge
Update DeviceReset NetworkReset DeviceChangelog

Content & Services

Content Studio
RSS
Shortcuts
Co Create
Software
CastCardDiablo II Resurrected Terror Zone & Uber Diablo Alert ToolDot Calendar - Weather Calendar for Quote/0DotCanvasDotClientDot Crypto TickerDot MateIntelligent Poetry Weather Generation SystemMindReset Dot MCP (Lakphy)Quote/0 Send DemoQuote/0 + Calendar ShortcutQuote/0 Evening SummaryQuote/0 Flash NoteQuote/0 Health ReminderQuote/0 + Holiday ShortcutQuote/0 MCP (stvlynn)Quote/0 MCP (thomaszdxsn)Quote/0 + WAY 2 Reminder ShortcutQuote/0 Yearly Progress CalendarServer Status
Hardware
IKEA SKÅDIS MountQuote/0 Carry Case HangerQuote/0 Desktop Charging Mini StandQuote/0 Desktop Stand (Andrrrrrrija)Quote/0 Desktop Stand (MindReset)Quote/0 Desktop Mini StandQuote/0 Monitor Mount (Kiiko)Quote/0 Excerpt Mount (GLB_wegoo777)Quote/0 Monitor Mount (TLL)
Developer Platform
What is an APIGet API KeyGet Device Serial NumberGet Device ListGet Device StatusSwitch to Next ContentList Device TasksControl Text ContentControl Image Content
Roadmap

Explore More Possibilities

Request New ContentJoin Our Content Studio

Security

MSA-2025-08-001MSA-2025-09-001MSA-2025-09-002MSA-2025-10-001MSA-2025-10-002MSA-2025-10-003
Responsible Disclosure Policy

More

Privacy PolicyUser AgreementContact UsAbout MindReset
SecuritySecurity Advisory
Image

MSA-2025-09-002

NoSQL Injection

Release Date: Sep 30, 2025
Last Updated: Sep 30, 2025
Severity: Critical
Status: Fixed
CVSS 4.0 Score: 9.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Overview

On 2025-09-29T06:23:00Z, we received a security report regarding a NoSQL injection vulnerability in the /api/device/template endpoint. This endpoint was originally intended to provide a set of server-side rendering capabilities. However, because it directly accepts and executes a MongoDB aggregation pipeline structure supplied by the client, an attacker can craft malicious requests to perform, among other things, reading sensitive data, writing/tampering with data, and triggering denial-of-service (DoS), resulting in high risk.

We have immediately enabled temporary mitigations and initiated a permanent remediation process. No evidence of widespread malicious exploitation has been found at this time.

Impact Scope

ItemDetails
Affected ProductDot Server-side API
Affected VersionCurrent production version of /api/device/template
Fixed VersionTo be announced (will be updated after permanent fix is released)
Affected Component/api/device/template
Attack VectorNetwork
Required PrivilegeLow (greater impact with a valid user token; possible abuse under weak validation in some scenarios)

Technical Description

  • Root Cause: The endpoint allows clients to directly control aggregation operators and structure, which are executed verbatim on the server, creating a NoSQL injection surface.

Remediation

To quickly reduce risk and fully eliminate the injection surface, we are proceeding in two phases (mitigation and permanent fix):

  • Immediate Actions:
    • Temporarily disable or gradually restrict high-risk operators in /api/device/template, enforce strict field whitelisting and rate limiting, and block suspicious aggregation stages.
    • Increase request auditing and alerting to identify suspicious sources and access frequency.
  • Permanent Fix:
    • Introduce server-side parameterization and a query builder so that only controlled aggregation stages are assembled on the server; disallow client-supplied operators or free-form structures.
    • Minimize returned data (field-level projection and masking) and enforce fine-grained authorization checks based on user and resource boundaries.
    • Conduct a comprehensive audit of similar historical endpoints to eliminate analogous risks.

Impact Assessment

  • No evidence of malicious exploitation: Logs show no abnormal bulk access or data exfiltration.

User Action

  • No user-side action is required at this time. We have enabled server-side interception and restriction strategies and will complete the permanent fix as soon as possible.

Acknowledgements

We sincerely thank Mason for reporting this issue through responsible disclosure and providing valuable verification assistance during the fix. This spirit of collaboration helps protect all users' data security.

Disclaimer: This advisory is compiled based on currently available information. We will continue to monitor related threat intelligence and will revise this advisory promptly in case of significant updates.
Document ID: MSA-2025-09-002
Classification: Public
Issued by: MindReset Security Team

Did this solve your problem?

Join our community

MSA-2025-09-001

IDOR vulnerability in NFC Tap

MSA-2025-10-001

Unauthorized STS issuance enabling arbitrary OSS uploads

Contents

OverviewImpact ScopeTechnical DescriptionRemediationImpact AssessmentUser ActionAcknowledgements