CVE-2022-25760 — Code injection in accesslog

Description

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

How to fix CVE-2022-25760

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-25760 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25760
PATCHgithub.com/carlos8f/node-accesslog
WEBgithub.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
WEBsnyk.io/vuln/SNYK-JS-ACCESSLOG-2312099