Information Exposure Affecting log4js Open this link in a new tab package, versions <6.4.0

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    20 Jan 2022

  • disclosed

    20 Jan 2022

  • credit

    Lam Wei Li, ranjit-git

How to fix?

Upgrade log4js to version 6.4.0 or higher.


log4js is a Port of Log4js to work with node.

Affected versions of this package are vulnerable to Information Exposure via the default file permissions for log files that are created by the file, fileSync and dateFile appenders which are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.