CodeQL Flags Critical Template Object Injection in Juice Shop's Data Erasure Route (CVSS 9.3)

A scheduled security scan has flagged a critical-severity vulnerability in the OWASP Juice Shop project, a widely used web application security training platform. The CodeQL analysis identified a Template Object Injection flaw in the `routes/dataErasure.ts` file at line 72, assigning it a maximum CVSS score of 9.3. This indicates a high-risk path for potential remote code execution, as the template object's construction depends directly on user-provided input.

The finding originates from an automated GitHub Actions workflow (`security-scan.yml`) and is categorized under the `js/template-object-injection` rule. The vulnerability resides in a core data handling route, suggesting that an attacker could manipulate the data erasure functionality to inject malicious objects into the server-side template processing engine. The specific dependency on user-controlled values at two points creates a direct vector for exploitation.

For an educational platform designed to demonstrate security flaws, the presence of an unpatched, high-severity vulnerability in its own codebase presents a significant irony and operational risk. It places immediate pressure on the maintainers to review and remediate the code at the specified location. The public nature of this GitHub issue means the exposure details are visible, potentially providing a blueprint for attackers until a fix is deployed. This incident underscores the continuous challenge of securing even security-focused code, especially when automated tools surface critical findings in core application logic.