CodeQL Security Scan Flags Path Injection Vulnerability in 'juice-shop' Repository

A scheduled security scan has flagged a critical vulnerability in the popular 'juice-shop' repository, identifying a path injection flaw with a CVSS score of 7.5. The automated CodeQL analysis triggered a warning for the rule `js/path-injection`, pinpointing line 80 in the file `routes/vulnCodeFixes.ts`. The core issue is that a path expression in the code is constructed using uncontrolled, user-provided input, creating a potential vector for attackers to manipulate file system access.

The finding originates from a GitHub Actions workflow (`security-scan.yml`) that runs automated security scanning. The vulnerability is classified as a 'High' severity warning. The specific file, `vulnCodeFixes.ts`, suggests the code is related to vulnerability remediation features, making the presence of a security flaw itself particularly notable. The scan was executed on March 8, 2026, indicating this is a recent discovery in the codebase.

While the issue is automatically generated and requires manual review for confirmation and remediation, a path injection vulnerability at this severity level represents a significant security risk. If exploited, it could allow unauthorized file read or write operations. The finding places immediate pressure on the repository maintainers to audit the implicated code line, validate the threat, and implement a fix. For a project often used for security training and demonstration, such a flaw could undermine its integrity and require prompt public disclosure if confirmed.