Agreed. This is clearly a "this library is not what you want to use" situation, not a "there was a vuln" situation.
You don't need or want your logger to be this complex. We have much better, language agnostic solutions.
Quote Tweet
This is not a case where you just patch the library and move on from it. Look at this nonsense: news.ycombinator.com/item?id=295063. Why do the parameters go through string interpolation... ?
Don't even need an RCE vector for this to be a completely broken system:
twitter.com/_StaticFlow_/s
Show this thread
1
5