CVE-2020-28438: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2020-28438) affects all versions of the deferred-exec package, which is a tool for running exec commands in a sane way. The vulnerability was discovered and disclosed on January 26, 2021, by the JHU System Security Lab (Snyk Advisory).

The vulnerability is classified as a Command Injection vulnerability (CWE-78) with a critical CVSS v3.1 base score of 9.8. The injection point is specifically located in line 42 in lib/deferred-exec.js. The vulnerability has a network attack vector, low attack complexity, requires no privileges or user interaction, and can result in high impact across confidentiality, integrity, and availability (Snyk Advisory).

If exploited, this vulnerability can lead to total loss of confidentiality, integrity, and availability of the affected system. An attacker can potentially execute arbitrary commands, access sensitive information, modify protected files, and cause complete system unavailability (Snyk Advisory).

There is no fixed version available for the deferred-exec package. Users are advised to consider using alternative packages or implementing additional security controls to mitigate the risk (Snyk Advisory).