Security of session tokens: a [$gt] injection vulnerability

The way Mongo adapters normally work is you pass something like {token: params.token} but in many languages it’s easy to pass {$gt: 1} or [$gt]=1 and bypass this protection.

Very recent example: and I’ve seen much more personally during security audits.

We managed to fixed it in sequelize (, but I believe it’s better to fix it once and for all in main mongo adapters.

Solution: change the format of keys to something that cannot be crafted from JSON user input, e.g. sequelize now uses []: 1