Critical CodeQL Alert: Type Confusion Vulnerability in Juice-Shop routes/search.ts — CVSS 9.8

A scheduled CodeQL security scan has flagged a critical type confusion vulnerability in the OWASP Juice-Shop repository, specifically within the `routes/search.ts` file at line 22. The vulnerability, classified under rule `js/type-confusion-through-parameter-tampering`, carries a CVSS score of 9.8, placing it in the critical severity range. The issue stems from an HTTP request parameter that may be interpreted as either an array or a string, creating a potential attack surface for parameter tampering exploits. This finding was generated automatically by the security scan workflow on April 9, 2026.

The vulnerability exists where the codebase fails to enforce consistent type handling for user-supplied input. In typical Node.js/Express applications, query parameters are processed as strings by default, but JavaScript's flexible type system permits parameters to arrive as arrays under certain conditions. When code assumes a parameter will always be a string without validation, attackers can manipulate request formatting to inject unexpected data structures. At `routes/search.ts:22`, the affected code path does not appear to normalize or validate parameter types before use, leaving the application exposed to type-based bypass scenarios.

Type confusion vulnerabilities can lead to a range of exploit outcomes, including logic bypasses, injection attacks, and in some cases, remote code execution depending on how the mishandled parameter flows through the application. Given Juice-Shop's role as a deliberately vulnerable training target, this finding underscores the importance of explicit input validation and type checking in production-grade Express applications. Developers are advised to review the identified code path, enforce strict type validation for all external input, and implement consistent sanitization logic to prevent parameter tampering.