CVE-2019-10789: 
JavaScript vulnerability analysis and mitigation

CVE-2019-10789 affects all versions of curling.js, a Node.js wrapper for curl with a simple API. The vulnerability was discovered and disclosed on February 6, 2020, and impacts the package's run function, which is susceptible to command injection attacks. The vulnerability affects all versions of the curling package prior to version 1.1.0 (NVD, Snyk).

The vulnerability exists in the run(command, cb) function where the command argument can be controlled by users without any sanitization. This command injection vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (NVD).

The vulnerability allows attackers to execute arbitrary commands on the affected system through the curling package. This can lead to a complete compromise of the system's confidentiality, integrity, and availability. The exploit probability is rated at 35.85% (98th percentile) according to the EPSS model (Snyk).

The recommended mitigation is to upgrade the curling package to version 1.1.0 or higher, which contains the fix for this vulnerability (Snyk).