log4js@2.3.5 vulnerabilities

Port of Log4js to work with node.

Direct Vulnerabilities

Known vulnerabilities in the log4js package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

log4js is a Port of Log4js to work with node.

Affected versions of this package are vulnerable to Information Exposure via the default file permissions for log files that are created by the file, fileSync and dateFile appenders which are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

How to fix Information Exposure?

Upgrade log4js to version 6.4.0 or higher.

<6.4.0