GHSA-8m2f-74r2-x3f2

Suggest an improvement
Source
https://github.com/advisories/GHSA-8m2f-74r2-x3f2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-8m2f-74r2-x3f2/GHSA-8m2f-74r2-x3f2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8m2f-74r2-x3f2
Aliases
Published
2022-03-18T00:01:10Z
Modified
2026-03-13T22:11:45.051350Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Code injection in accesslog
Details

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Database specific 
{
    "nvd_published_at": "2022-03-17T12:15:00Z",
    "severity": "HIGH",
    "github_reviewed_at": "2022-03-18T22:41:34Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / accesslog

Package

Name
accesslog
View open source insights on deps.dev
Purl
pkg:npm/accesslog

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.0.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-8m2f-74r2-x3f2/GHSA-8m2f-74r2-x3f2.json"