CodeQL Flags Critical Template Object Injection in Juice Shop's Data Erasure Route (CVSS 9.3)

A scheduled security scan has flagged a critical vulnerability in the OWASP Juice Shop project, with a CVSS score of 9.3 indicating a high-severity risk. The automated CodeQL analysis identified a Template Object Injection flaw within the `routes/dataErasure.ts` file, specifically on line 72. This type of vulnerability occurs when a template object's structure or behavior is influenced by user-supplied input, creating a potential vector for server-side attacks.

The finding, generated by the `js/template-object-injection` rule, points to a direct dependency on user-provided values at the specified location. The `dataErasure` route, as its name suggests, is likely involved in handling data deletion requests, making this a sensitive endpoint where injection could have significant consequences. The issue was automatically created by the project's scheduled security scan workflow, highlighting an ongoing commitment to security but also exposing a concrete weakness that requires immediate developer attention.

While the automated report does not detail potential exploit scenarios, a Template Object Injection in a data handling route raises substantial security concerns. It could allow an attacker to manipulate the template engine's execution, potentially leading to remote code execution (RCE), data corruption, or unauthorized access to the underlying system. The high CVSS score underscores the urgency for the maintainers to review and remediate the code at the specified location to prevent exploitation.