MongoDB $where with a string or function
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
$where evaluates a JavaScript string/function on the server for every document, which is both a NoSQL injection vector and a performance sink. Rewrite it as a normal query operator.
Why it matters
$where runs a JavaScript expression on the MongoDB server for every document in the collection. A string or function there is both a NoSQL injection vector, if any part is user-controlled, and a full-collection scan that ignores indexes. It is a heuristic because the expression may be a fixed constant.
How to fix it
Rewrite the condition using standard query operators ($gt, $lt, $eq, $in, and so on) so it uses indexes and takes no code. If you genuinely need server-side logic, use the aggregation pipeline with $expr rather than $where, and never place input inside it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo