CVE-2022-25760 – accesslog

Package

Manager: npm
Name: accesslog
Vulnerable Version: >=0 <=0.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00436 pctl0.62121

Details

Code injection in accesslog All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Metadata

Created: 2022-03-18T00:01:10Z
Modified: 2022-03-18T22:41:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-8m2f-74r2-x3f2/GHSA-8m2f-74r2-x3f2.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-8m2f-74r2-x3f2
Finding: F422
Auto approve: 1