CVE-2022-25760: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

March 18, 2022 (updated March 21, 2022)

All versions of package accesslog is vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package’s exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

References

github.com/advisories/GHSA-8m2f-74r2-x3f2
github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
nvd.nist.gov/vuln/detail/CVE-2022-25760
snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099

Code Behaviors & Features

Detect and mitigate CVE-2022-25760 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →