CVE-2020-7614: 
JavaScript vulnerability analysis and mitigation

npm-programmatic through version 0.0.12 is vulnerable to Command Injection. The vulnerability exists because the packages and option properties are concatenated together without proper validation before being used by the exec function directly (Snyk, NVD). The vulnerability was discovered and disclosed on April 1, 2020.

The vulnerability occurs when the package concatenates user input without proper sanitization before passing it to the exec function. This allows attackers to inject arbitrary shell commands. A proof of concept demonstrates that an attacker can execute malicious commands by passing specially crafted input to the install function: var root = require("npm-programmatic"); var attack_code = "& echo vulnerable > create.txt &"; root.install([attack_code], {"cwd": "./"}); (Snyk).

This vulnerability can lead to remote code execution if the library is called with untrusted input. An attacker could potentially execute arbitrary commands on the system where the vulnerable code is running (Snyk).

There is no fixed version available for npm-programmatic. Users should consider using alternative packages or implementing proper input validation and sanitization before passing any user-controlled data to the package (Snyk).