Why is that a security hole? According to https://derickrethans.nl/mongodb-type-juggling.html, you're fine - there is no SQL query involved that might be vulnerable to the same kind of injection you've seen at MySQL.
See How does MongoDB avoid the SQL injection mess? for an additional explanation, especially the first paragraph of the accepted answer:
MongoDB avoids the potential for problems by not parsing.