CVE-2019-10801: 
JavaScript vulnerability analysis and mitigation

CVE-2019-10801 affects enpeem through version 2.2.0, a lightweight wrapper for accessing npm programmatically. The vulnerability allows execution of arbitrary commands through unsanitized input. The vulnerability was disclosed and published on February 28, 2020 (NVD, Snyk).

The vulnerability exists because the options.dir argument is provided to the exec function without any sanitization, enabling command injection attacks. The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (NVD).

A successful exploitation of this vulnerability could lead to arbitrary command execution on the affected system, potentially resulting in complete system compromise. The attacker could execute malicious commands with the privileges of the application running the vulnerable enpeem package (Snyk).

There is no fixed version available for enpeem. Users are advised to find alternative packages or implement proper input sanitization if continuing to use the vulnerable package (Snyk).