## GitHub Security Scan Flags Path Injection Vulnerability in 'juice-shop' Codebase
A scheduled security scan has flagged a critical vulnerability in the popular 'OWASP Juice Shop' project, a deliberately insecure web application used for security training. The automated CodeQL analysis identified an uncontrolled data flow in a path expression, a flaw that could allow attackers to manipulate file system paths and potentially access sensitive data or execute arbitrary code. The finding carries a CVSS score of 7.5, classifying it as a high-severity issue.

The vulnerability is located in the file `routes/vulnCodeSnippet.ts` at line 94. The CodeQL rule `js/path-injection` triggered the warning, indicating that a user-provided value is being used directly in a path expression without proper sanitization or validation. This pattern is a classic precursor to directory traversal attacks, where an attacker could use sequences like `../` to escape the intended directory and read or write files elsewhere on the server.

The finding was automatically generated by a GitHub Actions workflow (`security-scan.yml`) on March 8, 2026. While the Juice Shop project is intentionally vulnerable for educational purposes, this automated detection highlights the persistent risk of path injection in real-world Node.js applications. The scan's remediation advice is direct: developers must manually review the specific line of code to understand the data flow and implement proper input validation or use safe path construction APIs. This serves as a stark reminder that even in training environments, the tooling and patterns for identifying serious security flaws are identical to those needed in production systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CodeQL, Path Injection, GitHub Security, Vulnerability, Node.js
- **Credibility**: unverified
- **Published**: 2026-04-11 04:22:28
- **ID**: 59778
- **URL**: https://whisperx.ai/en/intel/59778