CVE-2019-10790: 
JavaScript vulnerability analysis and mitigation

The taffydb npm module, in all versions up to and including 2.7.3, contains a vulnerability that allows attackers to forge additional properties in user-input processed by the taffy library. This vulnerability was discovered and disclosed on February 5, 2020, affecting both the taffy package and its successor taffydb (Snyk Advisory, NVD).

The vulnerability stems from how taffy handles internal indexing for data items in its database. The internal index can be forged by adding additional properties into user-input. When an index is found in a query, taffyDB ignores other query conditions and directly returns the indexed data item. The internal index follows an easily-guessable format (e.g., T000002R000001). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

This vulnerability allows attackers to access any data items in the database by bypassing query conditions. The impact primarily affects data confidentiality, as attackers can potentially access sensitive information stored in the database. The CVSS scoring indicates high confidentiality impact with no impact on integrity or availability (Snyk Advisory).

There is no fixed version available for the taffydb package. The package has been deprecated by the author, and its successor package (taffydb) is also vulnerable and not actively maintained (Snyk Advisory).