Hallucination Attacks in Flask with Mongodb

A hallucination attack in the context of a Flask application using MongoDB occurs when an attacker manipulates data or queries so that the application returns fabricated or misleading information as if it were authoritative. This typically arises when application logic trusts user-supplied input to construct MongoDB queries without strict validation or schema enforcement, allowing an attacker to influence which documents are returned or how results are interpreted.

In Flask, developers often build endpoints that accept query parameters or JSON payloads and directly map them to MongoDB filters. For example, a search or filtering endpoint might do db.users.find({email: request.args.get('email')}) without verifying that the provided email matches the expected format or ownership context. If an attacker supplies a wildcard or modifies the structure of the filter, they can cause the query to match unintended documents or suppress expected matches, effectively hallucinating data that does not exist or altering the perceived state of the system.

With MongoDB, hallucination can also stem from schema flexibility. Because MongoDB does not enforce a rigid schema by default, an attacker may supply fields that the application inadvertently incorporates into response construction. If the Flask layer merges user input directly into response objects (for example, using jsonify(document) where document contains raw MongoDB output), an attacker who injects unexpected keys can cause the API to expose internal metadata, operational fields, or inconsistent data representations that the client treats as valid outputs.

The combination of Flask’s lightweight routing and MongoDB’s document model amplifies these risks when developers rely on implicit type coercion or lenient deserialization. For instance, numeric IDs passed as strings might be interpreted differently depending on how the query is built, allowing an attacker to bypass intended filters. Additionally, if the application uses client-supplied sorting or projection parameters without strict allow-listing, the attacker can shift the apparent ordering or selectively omit fields, producing a version of reality that aligns with their goals.

These attacks are particularly relevant when the API serves as a data source for LLM-based clients or automated tooling, where hallucinated results can propagate incorrect inferences. Because middleBrick’s LLM/AI Security checks include system prompt leakage detection and output scanning for PII or executable code, integrating such analysis can help surface inconsistencies between expected and returned data structures before they reach downstream models.

To detect these patterns, scanning should validate that query construction is deterministic and confined to intended fields, that responses are shaped against a strict schema, and that user input never directly dictates which documents are considered authoritative. MiddleBrick’s checks for Input Validation and Data Exposure are designed to surface these risks in unauthenticated scans of Flask endpoints backed by MongoDB.

Remediation centers on strict schema enforcement, explicit type handling, and defensive query construction. Always validate and cast incoming parameters before using them in MongoDB operations, and avoid passing raw user input directly into filters or projections.

from flask import Flask, request, jsonify
from pymongo import MongoClient
from bson.objectid import ObjectId
import re

app = Flask(__name__)
client = MongoClient('mongodb://localhost:27017')
db = client['secure_app']
users = db['users']

# Ensure email is properly validated and indexed
EMAIL_REGEX = r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'

@app.route('/user')
def get_user():
    email = request.args.get('email', '').strip()
    if not re.match(EMAIL_REGEX, email):
        return jsonify({'error': 'invalid email'}), 400
    # Use a typed filter and avoid dynamic key insertion
    user = users.find_one({'email': email}, {'_id': 1, 'name': 1, 'email': 1})
    if user is None:
        return jsonify({'error': 'not found'}), 404
    # Explicitly shape the response to prevent leakage
    return jsonify({'id': str(user['_id']), 'name': user['name'], 'email': user['email']})

@app.route('/users')
def list_users():
    # Allow-list sort field and direction
    sort_field = request.args.get('sort', 'name')
    sort_dir = request.args.get('dir', 'asc')
    allowed_sort_fields = {'name', 'email', 'created_at'}
    allowed_dirs = {'asc': 1, 'desc': -1}
    if sort_field not in allowed_sort_fields:
        sort_field = 'name'
    if sort_dir not in allowed_dirs:
        sort_dir = 1
    cursor = users.find({}, {'_id': 1, 'name': 1, 'email': 1})
    cursor.sort(sort_field, allowed_dirs[sort_dir])
    return jsonify([{'id': str(doc['_id']), 'name': doc['name'], 'email': doc['email']} for doc in cursor])

Key practices include using allow-lists for sort and filter fields, projecting only necessary fields, and ensuring that ObjectId conversions are guarded. For continuous monitoring, middleBrick’s Pro plan supports CI/CD integration so that changes to API behavior can be flagged before deployment. The CLI can be used locally with middlebrick scan <url> to validate that these controls are effective against hallucination-oriented inputs.