Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04bTJmLTc0cjIteDNmMs0z7Q

Code injection in accesslog

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Permalink: https://github.com/advisories/GHSA-8m2f-74r2-x3f2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04bTJmLTc0cjIteDNmMs0z7Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Identifiers: GHSA-8m2f-74r2-x3f2, CVE-2022-25760
References: Repository: https://github.com/carlos8f/node-accesslog
Blast Radius: 7.4

Affected Packages

npm:accesslog
Dependent packages: 4
Dependent repositories: 11
Downloads: 120 last month
Affected Version Ranges: <= 0.0.2
No known fixed version
All affected versions: 0.0.0, 0.0.1, 0.0.2