Use of Externally-Controlled Format String
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-134: Use of Externally-Controlled Format String |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Medium |
Description#
Using variables or user input as the format string in util.format or console.log can let attackers inject unexpected format specifiers, altering log messages or causing confusing output. It’s safer to use constant format strings to prevent manipulation.
Impact#
If exploited, attackers could forge or obscure log messages, making it harder to track activity or debug issues. This can hide malicious actions, hinder incident response, and reduce the trustworthiness of your application’s logs.