CVE-2019-10803: 
JavaScript vulnerability analysis and mitigation

CVE-2019-10803 affects push-dir through version 0.4.1, a package designed to push the contents of a directory to a remote branch. The vulnerability was discovered and disclosed on February 28, 2020. The issue affects all versions of push-dir up to and including version 0.4.1 running on Node.js (NVD).

The vulnerability is a command injection flaw where arguments provided as part of the variable 'opt.branch' are not properly validated before being passed to the git command within index.js#L139. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it is remotely exploitable with no privileges or user interaction required (NVD, Snyk).

If exploited, this vulnerability could allow an attacker to inject and execute arbitrary commands through the unvalidated opt.branch parameter. The high severity rating indicates potential for complete system compromise, with full confidentiality, integrity, and availability impacts (Snyk).

There is currently no fixed version available for push-dir. Users are advised to either discontinue use of the package or implement additional input validation before passing values to the opt.branch parameter (Snyk).