Critical Code Injection Flaw Exposed in Juice Shop's `showProductReviews.ts` Route

A scheduled security scan has flagged a critical, unpatched code injection vulnerability within the popular Juice Shop application. The automated CodeQL analysis identified the flaw in the `routes/showProductReviews.ts` file at line 34, assigning it a severe CVSS score of 9.3. This indicates a high-risk path for remote code execution, where the application's logic depends on unvalidated, user-provided input, potentially allowing attackers to execute arbitrary commands on the underlying server.

The vulnerability resides in a core product review display route, a common user-facing feature. The `js/code-injection` rule trigger points to a direct dependency on external input without proper sanitization or validation. This type of flaw is a classic and dangerous security misstep, often leading to complete system compromise. The finding was automatically generated by the project's GitHub Actions workflow on April 21, 2026, placing immediate remediation responsibility on the maintainers of the `taiqi121/juice-shop` repository.

For an application like Juice Shop, which is widely used for security training and demonstration, hosting a live critical vulnerability presents a significant reputational and operational risk. It undermines the project's educational integrity and could serve as a real-world attack vector if deployed in a vulnerable state. The automated ticket now sits in the project's issue tracker, creating public pressure for a fix. The lack of immediate remediation details in the report shifts the burden to developers to manually review and secure the implicated code line, a process that must be prioritized to prevent potential exploitation.