Critical NoSQL Injection in user-dao.js Exposes Authentication Bypass (CVSS 9.8)

A critical NoSQL injection vulnerability in a core authentication function allows unauthenticated attackers to bypass login controls and potentially gain administrative access. The flaw, rated a maximum CVSS score of 9.8, resides in the `validateLogin()` function within the `app/data/user-dao.js` file. It passes the raw `userName` parameter from an HTTP request directly into a MongoDB `findOne` query without any sanitization, enabling attackers to inject MongoDB query operators.

Specifically, because the Express body-parser accepts nested JSON, an attacker can submit a crafted object like `{"$gt": ""}` as the username. The database interprets this as a query operator instead of a literal string, allowing the malicious query to match and return the first user document in the collection. This directly compromises the `POST /login` endpoint, making complete authentication bypass trivial for an unauthenticated remote attacker. The secondary `addUser()` function in the same file is also suspected to be vulnerable to similar operator injection.

The vulnerability, classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), represents a severe architectural failure in input validation. With a CVSS vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, it poses a high risk of full system compromise, data exfiltration, and unauthorized administrative actions. The issue was flagged by automated triage, indicating it may exist undetected in other code paths, and requires immediate patching to enforce strict type checking and parameterized queries.