Does javascriptProtection:false impose any risk?


Just have a quick question from the MongoDB Database server end .
If we are running the MongoDB instance with authentication enabled , do we have any vulnerability with running javascriptProtection: false (I see that is the default - because we do not have anything specified on the mongod config by default but I do see this

**{ "javascriptProtection" : false}**

Does this impose any risk and can we leave this as is ?

Can anyone please help on this question? I also have same doubt will that be any risk?

Hi @Jerwin_Roy_Jackson and welcome to the forums,

The value for javascriptProtection parameter has been changed in MongoDB v3.4+ to be enabled by default. If your MongoDB deployment is on v3.2 (EOL September 2018) or under, I’d recommend to upgrade your deployment version to a more recent version.

The feature setting was built to avoid overloading built-in functions in/from mongo shell. It’d be recommended to set the value to true. Please see also MongoDB Security Checklist to view list of security measures that you should implement to protect your MongoDB installation.


1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.