Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04bTJmLTc0cjIteDNmMs0z7Q
Code injection in accesslog
All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.
Permalink: https://github.com/advisories/GHSA-8m2f-74r2-x3f2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04bTJmLTc0cjIteDNmMs0z7Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Identifiers: GHSA-8m2f-74r2-x3f2, CVE-2022-25760
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25760
- https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
- https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099
- https://github.com/advisories/GHSA-8m2f-74r2-x3f2
Blast Radius: 7.4
Affected Packages
npm:accesslog
Dependent packages: 4Dependent repositories: 11
Downloads: 120 last month
Affected Version Ranges: <= 0.0.2
No known fixed version
All affected versions: 0.0.0, 0.0.1, 0.0.2