CVE-2020-7597: 
JavaScript vulnerability analysis and mitigation

The codecov-node npm package versions before 3.6.5 contained a command injection vulnerability (CVE-2020-7597). The vulnerability was discovered and disclosed on February 16, 2020, affecting the package's handling of the gcov-root argument. This vulnerability emerged as a result of an incomplete fix for a previous vulnerability (CVE-2020-7596) (Snyk).

The vulnerability exists in the way the package handles the gcov-root argument within lib/codecov.js. The value provided as part of this argument is executed by the exec function without proper sanitization. The issue was later addressed by implementing sanitization that removes ampersand (&) characters from the input (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (high severity) by NVD and 6.5 (medium severity) by Snyk (Snyk).

The vulnerability could allow remote attackers to execute arbitrary commands on the affected system. This could potentially lead to a total loss of confidentiality, with attackers gaining access to restricted information within the impacted component (Snyk).

The recommended mitigation is to upgrade the codecov package to version 3.6.5 or higher, which includes the security fix. The fix implements proper input sanitization to prevent command injection attacks (Snyk).