Interlace ESLint
ESLint Interlace
MongoDBRules

no-unsafe-where

Prevents use of the dangerous `$where` operator which executes JavaScript on the MongoDB server, enabling Remote Code Execution (RCE).

Keywords: NoSQL injection, CWE-943, MongoDB, $where, RCE, CVE-2025-23061, CVE-2024-53900, Mongoose

Prevents use of the dangerous $where operator which executes JavaScript on the MongoDB server, enabling Remote Code Execution (RCE).

⚠️ This rule errors by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-943 (NoSQL Injection)
CVECVE-2025-23061, CVE-2024-53900
OWASPA01:2021 - Broken Access Control
SeverityCritical (CVSS: 9.0)
CategorySecurity
ESLint MCP✅ Optimized for AI assistant integration

Rule Details

The $where operator evaluates JavaScript on the MongoDB server. This is:

  1. Extremely dangerous - Can lead to RCE if user input reaches $where
  2. Performance-killer - JavaScript evaluation is slow and not indexed
  3. Deprecated - MongoDB discourages its use

CVE Coverage

  • CVE-2025-23061: Mongoose 8.x series - user input in $where allowing arbitrary code execution
  • CVE-2024-53900: Mongoose 7.x series - similar vulnerability in population paths

❌ Incorrect

// Direct $where with user input - RCE vulnerability
User.find({ $where: `this.name === '${req.body.name}'` });

// $where with function - still dangerous
User.find({
  $where: function () {
    return this.age > userAge;
  },
});

// Even hardcoded $where is discouraged
User.find({ $where: 'this.x > this.y' });

✅ Correct

// Use standard query operators instead
User.find({ name: { $eq: req.body.name } });

// Use $expr for complex comparisons
User.find({ $expr: { $gt: ['$age', 18] } });

// Use aggregation pipeline for computed fields
User.aggregate([
  { $addFields: { isActive: { $gt: ['$lastLogin', olderDate] } } },
  { $match: { isActive: true } },
]);

Known False Negatives

Dynamic Query Construction

// ❌ NOT DETECTED
const query = {};
query['$where'] = userInput;
User.find(query);

Indirect Reference

// ❌ NOT DETECTED
const operator = '$where';
User.find({ [operator]: '...' });

When Not To Use It

Never disable this rule. The $where operator should never be used in modern MongoDB applications:

  • Use $expr for field comparisons
  • Use aggregation pipelines for complex logic
  • Use application-side filtering if necessary

References

no-unsafe-regex-query

Detects user input in MongoDB `$regex` operators that could cause ReDoS (Regular Expression Denial of Service) or information disclosure.

require-auth-mechanism

Requires explicit authentication mechanism specification for MongoDB connections.

On this page

Quick SummaryRule DetailsCVE Coverage❌ Incorrect✅ CorrectKnown False NegativesDynamic Query ConstructionIndirect ReferenceWhen Not To Use ItRelated RulesReferences