Injection in Node.js (Express) - Remediation Guide [GHSA-3gw8-3mg3-jmpc]

In production Express apps, injection vulnerabilities can lead to data exposure, unauthorized access, or even remote code execution when untrusted input influences queries, commands, or templates. Without proper safeguards, attackers can bypass authentication, read sensitive records, or alter application behavior. In Node.js/Express, injection typically occurs when queries are built by concatenating strings or interpolating values from req.body, req.query, or req.params into database or shell commands. This includes SQL or NoSQL queries, as well as system commands executed via child_process. No specific CVEs are provided in this guide. This vulnerability class manifests in patterns such as constructing SQL statements by string concatenation, using operators from user input in MongoDB queries, or invoking shell commands with unsanitized inputs. It can also appear via template engines if untrusted data is rendered without escaping, enabling template injection. Remediation aims to enforce safe patterns: use parameterized queries or ORM/ODM query builders, validate and sanitize inputs via express-validator or Joi, avoid eval/new Function, and use child_process.execFile/spawn with clearly separated args. Also apply least-privilege DB accounts, centralized input validation, strict error handling, and security testing.