Recently log4j a java logging library has been reported as zero day vulnerability security threat. Can ‘log4js’ a node logging framework be a security threat too. ?? If yes , My node application is using ‘karma’ as a devdependency and ‘log4js’ is a nested dependency inside karma. Can this pose any security threat to my application. If yes how can I mitigate this ??? I am using karma to run test cases locally.
I would also like to know if this is possible.
There is no Java in log4js, no JNDI, no LDAP. It shares a name, and partially the idea of appenders and loggers. So this vulnerability doesn’t really apply to log4j, but @ gmillerd’s general words of caution against logging user-supplied values directly are worth noting.
Is log4js-node affected by the log4s vulnerability? · Issue #1105 · log4js-node/log4js-node · GitHub