High-Severity SQL Injection Vulnerability Detected in juice-shop Product Review Route

A CodeQL automated security scan has identified a high-severity SQL injection vulnerability in the OWASP juice-shop e-commerce platform. The flaw resides in `routes/likeProductReviews.ts` at line 25, where a database query is constructed using user-controlled input without sufficient sanitization. The vulnerability carries a CVSS score of 8.8, placing it in the high-severity range and exceeding the threshold for immediate remediation.

The CodeQL rule `js/sql-injection` flagged the issue during a scheduled security scan of the repository maintained by user taiqi121. According to the scan report dated March 8, 2026, the query object directly depends on values originating from untrusted user sources. This pattern is a well-known attack vector that could allow malicious actors to manipulate database queries, potentially granting unauthorized access to sensitive data, modifying records, or executing arbitrary commands on the underlying database server.

Security researchers recommend reviewing the identified code path at `routes/likeProductReviews.ts:25` to implement proper input validation, parameterized queries, or query sanitization before the vulnerability can be exploited in production environments. The juice-shop platform, widely used for security training and CTF challenges, has been the subject of numerous security audits; however, this finding underscores the importance of continuous automated scanning in maintaining secure codebases. Organizations running instances of this or similar fork repositories should apply patches or workarounds promptly and monitor for indicators of exploitation attempts targeting this attack surface.