CVE-2019-10788: 
JavaScript vulnerability analysis and mitigation

im-metadata through version 3.0.1 is affected by a command injection vulnerability identified as CVE-2019-10788. The vulnerability was discovered and disclosed on February 4, 2020. The package, which is used to retrieve image metadata as a JSON object using ImageMagick's identify command, allows remote attackers to execute arbitrary commands via the 'exec' argument (NVD).

The vulnerability exists because the package fails to properly validate input before processing it through the exec function. It is possible to inject arbitrary commands as part of the metadata options which are passed to the exec function. The vulnerability has been assigned a CVSS score of 9.8 (Critical) by NVD and 7.5 (High) by Snyk, indicating its severe nature (Snyk).

If exploited, this vulnerability can lead to arbitrary command execution on the affected system. An attacker can execute malicious commands with the privileges of the application running the vulnerable package. The vulnerability requires no special privileges or user interaction to exploit, making it particularly dangerous (Snyk).

A fix has been implemented in the master branch of the repository that includes input validation to check for suspicious characters before processing. The fix includes a regular expression check that validates the path argument against potentially malicious characters such as ;, &, `, $, (), ||, |, !, >, <, ?, and ${. However, this fix has not yet been published as a new version (GitHub Commit).