CVE-2025-65782: Picker Route Nosql Injection
The `Picker.route` router unsafely merges query string parameters into the `params` callback argument, leading to parameter pollution and potential NoSQL injection. Attackers can inject query string payloads incorporating object operators (e.g., `?id[$ne]=1`) which execute in place of standard URL path variables, thereby overriding database query structures
JSgreprules fetch cve-2025-65782-picker-route-nosql-injection --engine opengrepDescription
The `Picker.route` router unsafely merges query string parameters into the `params` callback argument, leading to parameter pollution and potential NoSQL injection. Attackers can inject query string payloads incorporating object operators (e.g., `?id[$ne]=1`) which execute in place of standard URL path variables, thereby overriding database query structures
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0