Will It Vibe logoWill It Vibe?
INJECT-021Medium severity-8 points

MongoDB $where with a string or function

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

$where evaluates a JavaScript string/function on the server for every document, which is both a NoSQL injection vector and a performance sink. Rewrite it as a normal query operator.

Why it matters

$where runs a JavaScript expression on the MongoDB server for every document in the collection. A string or function there is both a NoSQL injection vector, if any part is user-controlled, and a full-collection scan that ignores indexes. It is a heuristic because the expression may be a fixed constant.

How to fix it

Rewrite the condition using standard query operators ($gt, $lt, $eq, $in, and so on) so it uses indexes and takes no code. If you genuinely need server-side logic, use the aggregation pipeline with $expr rather than $where, and never place input inside it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks