Juice Shop Codebase Exposes Path Injection Vulnerability in `routes/vulnCodeFixes.ts`

An automated security scan has flagged a critical path injection vulnerability within the Juice Shop application's codebase. The CodeQL analysis, triggered on March 8, 2026, identified a high-severity flaw (CVSS 7.5) where user-provided data is used without proper validation in a path expression. This uncontrolled data flow occurs at line 79 of the `routes/vulnCodeFixes.ts` file, creating a potential vector for attackers to manipulate file system paths.

The finding, categorized under the `js/path-injection` rule, represents a direct security warning. The vulnerability's location within a route handler specifically named for vulnerability code fixes adds a layer of operational irony and risk. The issue was surfaced by a scheduled GitHub Actions workflow, indicating it is part of an established security posture but has now exposed a concrete weakness that requires immediate developer review.

This discovery places pressure on the maintainers of the Juice Shop project to conduct a prompt code review and remediation. While the scan is automated and the exact exploit scenario is not detailed, a CVSS score of 7.5 signifies a high-severity risk that could lead to unauthorized file access or remote code execution if left unaddressed. The finding underscores the persistent challenge of securing user input in web applications, even in projects designed for security education and testing.