Critical Template Object Injection Vulnerability Found in Juice Shop's `dataErasure.ts` Route

A critical security vulnerability has been flagged in the codebase of the Juice Shop project. The automated security scan identified a Template Object Injection flaw in the `routes/dataErasure.ts` file at line 87, where a template object depends on a user-provided value. This type of vulnerability is a severe risk, as it can potentially allow an attacker to inject and execute arbitrary code on the server, compromising the application's security and data integrity.

The finding, with a severity rating of 'critical', originates from the project's own GitHub repository under the user `taiqi121`. The specific rule triggering the alert is `js/template-object-injection`. The issue was automatically generated by the project's OSS vulnerability scanning workflow on April 3, 2026, indicating an active and recent discovery that requires immediate developer attention. The exact nature of the user input vector is not detailed, but the core risk is the improper handling of external data within a template object context.

This vulnerability places the entire `dataErasure` functionality—and by extension, any systems or data it interacts with—under significant scrutiny. Unremediated, it creates a direct pathway for server-side exploitation. The project maintainers are now under pressure to review the implicated code line and implement the recommended remediation, which is crucial for preventing potential data breaches or system takeovers. The presence of such a high-severity issue in a core route underscores the persistent challenges in securing modern web applications against injection attacks.