## Security Scan Flags Path Injection Vulnerability in Juice-Shop's Quarantine Server
A scheduled security scan has flagged a critical vulnerability in the popular OWASP Juice-Shop project, a deliberately insecure web application used for security training. The automated CodeQL analysis identified an uncontrolled data path injection flaw in the `routes/quarantineServer.ts` file, carrying a CVSS score of 7.5, which is classified as a high-severity risk. This finding points to a direct path where user-provided input could be used to manipulate file system operations, a classic vector for directory traversal attacks.

The specific vulnerability, tagged as `js/path-injection`, was detected on line 14 of the quarantine server route. The issue stems from the application using unsanitized, user-supplied data to construct a filesystem path. In a training context like Juice-Shop, such a flaw is an intentional educational example, but in a production system, it would represent a severe security gap, potentially allowing attackers to read, write, or delete sensitive files outside the intended directory.

The finding was automatically generated by the project's GitHub Actions workflow on March 8, 2026, underscoring the importance of continuous, automated security testing. While this particular instance is part of a controlled, educational environment, it serves as a stark, real-world reminder of the risks associated with improper input validation in Node.js applications. The remediation advice is straightforward: developers must review the implicated code line and implement proper input sanitization or path validation to neutralize the injection risk.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CodeQL, Path Injection, Security Vulnerability, Node.js, GitHub Actions
- **Credibility**: unverified
- **Published**: 2026-04-05 04:26:51
- **ID**: 50334
- **URL**: https://whisperx.ai/en/intel/50334