CVE-2022-25760: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2022-25760 affects all versions of the accesslog package, which is a simple common/combined access log middleware. The vulnerability was disclosed on December 8, 2021, and published on February 27, 2022. This security issue involves Arbitrary Code Injection due to improper input sanitization in the package's format option (Snyk).

The vulnerability stems from the unsafe usage of the Function constructor without proper input sanitization. When attacker-controlled user input is provided to the format option of the package's exported constructor function, it enables arbitrary JavaScript code execution on the host running the package. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 7.1 (HIGH) from Snyk (NVD, Snyk).

The successful exploitation of this vulnerability can lead to a complete compromise of system confidentiality and integrity. An attacker can execute arbitrary JavaScript code on the host system where the package is running, potentially leading to total loss of confidentiality and integrity of the affected system (Snyk).

Currently, there is no fixed version available for the accesslog package. Users should consider using alternative logging middleware solutions or implementing additional security controls to prevent unauthorized input to the format option (Snyk).