Log4js-Node CVE-2022-21704: World-Readable Log Files Expose Sensitive Data in Default Config

A medium-severity vulnerability in the popular Node.js logging library, log4js-node, leaves sensitive application data exposed by default. The flaw, tracked as CVE-2022-21704, causes log files created by the library's core appenders to be set with world-readable permissions on Unix-like systems. This means any user or process on the system can read the contents of these logs, which may include passwords, API keys, personal data, or internal system details that applications routinely record.

The vulnerability resides in versions prior to the patched release and specifically affects the default behavior of the `file`, `fileSync`, and `dateFile` appenders. These are standard components used to write logs to disk. The issue is not an active exploit but a dangerous misconfiguration baked into the library's core. Any project using a vulnerable version of `log4js` (such as `log4js-0.6.38.tgz`) and relying on these default appenders without explicitly setting secure file permissions is potentially impacted. The library's maintainers have published a security advisory detailing the flaw.

This creates a significant data exposure risk for countless Node.js applications, particularly in multi-user environments like shared hosting, containers, or servers where file system permissions are a primary security boundary. Developers must upgrade to a patched version of log4js-node immediately. For those unable to upgrade, the workaround is to manually configure the `mode` option for all file appenders to a secure value (e.g., `0o600`) to override the insecure default. The silent nature of this flaw—where logging, a fundamental operational practice, becomes a data leak vector—underscores the critical need for security-first defaults in foundational open-source tools.