High-Severity SQL Injection Risk Detected in OWASP Juice Shop Review Endpoint

A critical SQL injection vulnerability has been flagged in the OWASP Juice Shop project after an automated CodeQL security scan identified a database query built from user-controlled sources. The flaw, detected on March 8, 2026, carries a CVSS score of 8.8, placing it in the high-severity range and raising concerns about potential data exposure through the application's product review functionality.

The vulnerability resides in the file `routes/likeProductReviews.ts` at line 42, where the application constructs a database query that incorporates input directly from users. SQL injection flaws of this type can allow attackers to manipulate query logic, potentially gaining unauthorized access to sensitive data, bypassing authentication mechanisms, or executing arbitrary commands on the underlying database server. The Juice Shop project, while designed as a deliberately vulnerable security training target, still requires proper tracking and remediation of identified flaws within its codebase.

The finding was generated automatically by a scheduled GitHub Actions security workflow, consistent with modern DevSecOps practices that continuously monitor repository code for known vulnerability patterns. Organizations or developers utilizing Juice Shop for security education or penetration testing should treat this as a confirmed flaw requiring attention if deploying modified or hardened versions. The identification also underscores the importance of parameterized queries and input validation as foundational defenses against SQL injection attacks in any Node.js application handling user-supplied data.