CVE-2020-28447: 
JavaScript vulnerability analysis and mitigation

CVE-2020-28447 affects all versions of the xopen package, which provides a Promise API for opening files from Node on Windows, macOS, and Linux. The vulnerability was discovered and disclosed on January 26, 2021, by the JHU System Security Lab. This command injection vulnerability exists in the exported function xopen(filepath) in line 14 of index.js (Snyk Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack vector is network-based, requires low complexity, needs no privileges or user interaction, has unchanged scope, and can result in high impact across confidentiality, integrity, and availability. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (Snyk Advisory).

A successful exploitation of this vulnerability can lead to total loss of confidentiality, integrity, and availability of the affected system. The attacker can potentially access and modify any files protected by the impacted component, and cause complete denial of access to resources (Snyk Advisory).

Currently, there is no fixed version available for the xopen package. Users are advised to consider alternative packages or implement additional security controls to mitigate the risk (Snyk Advisory).