cve/2022/CVE-2022-25760.md

### [CVE-2022-25760](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25760)
![](https://img.shields.io/static/v1?label=Product&message=accesslog&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%200%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20Code%20Injection&color=brighgreen)

### Description

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099

#### Github
No PoCs found on GitHub currently.
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-25760](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25760)`
			`![](https://img.shields.io/static/v1?label=Product&message=accesslog&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%200%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20Code%20Injection&color=brighgreen)`

			`### Description`

			`All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.`

			`### POC`

			`#### Reference`
			`- https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099`

			`#### Github`
			`No PoCs found on GitHub currently.`