## Critical Security Flaw: Plaintext Passwords & NoSQL Injection Expose Full User Database
A critical vulnerability in a web application's authentication stack allows unauthenticated remote attackers to bypass login entirely and harvest every user's credentials in plaintext. The flaw, rated a maximum CVSS score of 9.8, stems from two root-cause issues in the codebase: plaintext password storage and a NoSQL injection vulnerability. This combination creates a direct path for complete system compromise without requiring any prior authentication or network privileges.

The vulnerabilities are located in the `app/data/user-dao.js` and `app/routes/session.js` files. The `UserDAO.addUser()` function stores the raw password string from HTTP requests directly into MongoDB, as the `bcrypt.hashSync()` call is intentionally commented out. Simultaneously, the `UserDAO.validateLogin()` function is vulnerable to NoSQL injection, allowing attackers to manipulate the login logic. The `SessionHandler.handleLoginRequest()` function is also implicated in the flawed authentication flow.

This security failure exposes the entire user database. Attackers can exploit the NoSQL injection to bypass authentication checks entirely, granting them unauthorized access. Once inside, they can retrieve all stored passwords in cleartext due to the fundamental storage flaw. The situation represents a complete breakdown of core security principles, putting all user accounts and associated data at immediate and severe risk of compromise.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security Vulnerability, Authentication Bypass, Data Breach, NoSQL Injection, Plaintext Storage
- **Credibility**: unverified
- **Published**: 2026-04-19 08:22:33
- **ID**: 71065
- **URL**: https://whisperx.ai/en/intel/71065