findOne method returns first document, even when the query value passed is "undefined" - can create privacy issues

[Alef5750]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the performance issue has not already been reported

Last performant version

8.7.0

Slowed down in version

8.7.0

Node.js version

20.17.0

🦥 Performance issue

When using the findOne() method, passing it a query value of undefined, like such:
User.findOne(undefined)
the response is the first document in the User collection.
This is unique to Mongoose, and different than db.collection.findOne(undefined) in regular MongoDB, which returns null in such a case.

The problem: privacy issues. A hacker can pass 'undefined' and retrieve first user in the database which may have sensitive information.

Steps to Reproduce

1. Create a User collection in a mongoDB database.
2. add a users to the database with some fields (username, password, etc.)
3. in your server's controller, run a Mongoose method getUser:export const getUser = async (req: Request, res: Response) => { try { const user = await User.findOne(undefined); **console.log(user);** res.status(200).json(user); } catch (error) { res.status(500).json({ message: "Error fetching user", error }); } };

Expected Behavior

Notice what the console logs as "user" to be the first user in your database, (and not null)