CVE-2020-7598: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2020-7598 affects the minimist package versions before 1.2.2. This security flaw was discovered on January 21, 2020, and publicly disclosed on March 11, 2020. The vulnerability allows an attacker to perform prototype pollution by tricking the library into adding or modifying properties of Object.prototype using a 'constructor' or 'proto' payload (NVD, CVE).

The vulnerability is classified as a Prototype Pollution issue (CWE-1321) with a CVSS base score of 5.6 (Medium). The attack requires network access but has high complexity, requires no privileges or user interaction, and has an unchanged scope. The vulnerability affects the confidentiality, integrity, and availability of the system, all with low impact ratings. The issue occurs when the library processes argument options and can be exploited through specially crafted payloads targeting the Object.prototype (Snyk).

When exploited, this vulnerability can lead to Denial of Service (DoS), potential Remote Code Execution (RCE), or Property Injection. The DoS can occur when Object holds generic functions that are implicitly called for various operations. Property Injection could allow attackers to pollute properties that the codebase relies on for their informative value, including security properties such as cookies or tokens (Snyk).

The recommended mitigation is to upgrade minimist to version 0.2.1, 1.2.3, or higher. Additional preventive measures include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk).