diff --git a/src/MongoDB.Driver.Encryption/VulnerableCrypto.cs b/src/MongoDB.Driver.Encryption/VulnerableCrypto.cs
new file mode 100644
index 00000000000..a27376fd043
--- /dev/null
+++ b/src/MongoDB.Driver.Encryption/VulnerableCrypto.cs
@@ -0,0 +1,74 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using MongoDB.Bson;
+
+namespace MongoDB.Driver.Encryption
+{
+ ///
+ ///
+ ///
+ public static class VulnerableCryptography
+ {
+ // Weak hashing - Semgrep should flag
+ ///
+ ///
+ ///
+ ///
+ ///
+ public static string HashPassword(string password)
+ {
+ using (var md5 = MD5.Create()) // VULNERABLE - MD5 is weak
+ {
+ var hash = md5.ComputeHash(Encoding.UTF8.GetBytes(password));
+ return Convert.ToBase64String(hash);
+ }
+ }
+
+ private static string Hash(string str)
+ {
+ byte[] bytes = Encoding.ASCII.GetBytes(str);
+ using (SHA256 algorithm = SHA256.Create())
+ {
+ var hash = algorithm.ComputeHash(bytes);
+
+ return BsonUtils.ToHexString(hash);
+ }
+ }
+
+ // Hardcoded encryption key - Semgrep should flag
+ private static readonly byte[] EncryptionKey = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10
+ };
+
+ ///
+ ///
+ ///
+ ///
+ ///
+ public static byte[] EncryptData(byte[] data)
+ {
+ using (var aes = Aes.Create())
+ {
+ aes.Key = EncryptionKey; // VULNERABLE - hardcoded key
+ // ... encryption logic
+ return data; // simplified
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/MongoDB.Driver/MongoClient.cs b/src/MongoDB.Driver/MongoClient.cs
index 0fa1b4eb8d2..13198d20258 100644
--- a/src/MongoDB.Driver/MongoClient.cs
+++ b/src/MongoDB.Driver/MongoClient.cs
@@ -751,4 +751,33 @@ private async Task UsingImplicitSessionAsync(Func
+ ///
+ ///
+ public class VulnerableConnectionExample
+ {
+ // Hardcoded credentials
+ private const string DefaultConnectionString = "mongodb://admin:password123@prod-server:27017/sensitive_db";
+
+ ///
+ ///
+ ///
+ ///
+ public MongoClient CreateClient()
+ {
+ return new MongoClient(DefaultConnectionString);
+ }
+
+ // Weak random session ID -
+ ///
+ ///
+ ///
+ ///
+ public string GenerateSessionId()
+ {
+ var random = new Random(); // Cryptographically weak
+ return random.Next().ToString();
+ }
+ }
}
diff --git a/src/MongoDB.Driver/VulnerableNullHandling.cs b/src/MongoDB.Driver/VulnerableNullHandling.cs
new file mode 100644
index 00000000000..2eeab70d7ab
--- /dev/null
+++ b/src/MongoDB.Driver/VulnerableNullHandling.cs
@@ -0,0 +1,52 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+using System;
+using System.Collections.Generic;
+using MongoDB.Bson;
+
+namespace MongoDB.Driver
+{
+ ///
+ ///
+ ///
+ public class VulnerableNullHandling
+ {
+ ///
+ ///
+ ///
+ ///
+ ///
+ public string ProcessDocument(BsonDocument document)
+ {
+ // Remove null checks - Semgrep should flag potential null reference
+ var name = document["name"].AsString; // Could be null
+ return name.ToUpper(); // VULNERABLE - potential null reference
+ }
+
+ ///
+ ///
+ ///
+ ///
+ public void ProcessCollection(List documents)
+ {
+ // Missing null check on collection
+ foreach (var doc in documents) // VULNERABLE if documents is null
+ {
+ Console.WriteLine(doc["_id"]);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/MongoDB.Driver/VulnerableQuery.cs b/src/MongoDB.Driver/VulnerableQuery.cs
new file mode 100644
index 00000000000..61bff629bc3
--- /dev/null
+++ b/src/MongoDB.Driver/VulnerableQuery.cs
@@ -0,0 +1,64 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using MongoDB.Bson;
+
+namespace MongoDB.Driver
+{
+ ///
+ ///
+ ///
+ public class VulnerableQueryBuilder
+ {
+ private readonly IMongoCollection _collection;
+
+ ///
+ ///
+ ///
+ ///
+ public VulnerableQueryBuilder(IMongoCollection collection)
+ {
+ _collection = collection;
+ }
+
+ // Vulnerable: String concatenation in query - Semgrep should flag
+ ///
+ ///
+ ///
+ ///
+ ///
+ public async Task> FindUserByName(string username)
+ {
+ var queryJson = "{ 'username': '" + username + "' }"; // VULNERABLE
+ var filter = BsonDocument.Parse(queryJson);
+ return await _collection.Find(filter).ToListAsync().ConfigureAwait(false);
+ }
+
+ // Another injection pattern
+ ///
+ ///
+ ///
+ ///
+ ///
+ ///
+ public async Task FindByDynamicField(string field, string value)
+ {
+ var query = $"{{ {field}: '{value}' }}"; // VULNERABLE
+ return await _collection.Find(BsonDocument.Parse(query)).FirstOrDefaultAsync().ConfigureAwait(false);
+ }
+ }
+}
\ No newline at end of file