CVE-2020-7619: 
JavaScript vulnerability analysis and mitigation

get-git-data through 1.3.1 is vulnerable to Command Injection (CVE-2020-7619). The vulnerability was discovered and disclosed on April 2, 2020. The package allows injection of arbitrary commands as part of the arguments provided to get-git-data. This affects all versions of the package up to and including version 1.3.1 (Snyk).

The vulnerability exists in the argument handling of the package where the 'limit' parameter can be controlled by users without any sanitization. When calling the log() function, user-supplied input is directly incorporated into shell commands without proper validation or escaping. The vulnerability has been assigned a CVSS v3.1 score of 5.9 (medium severity) by Snyk, with high impact on confidentiality (Snyk).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary commands on the system where the package is being used. The impact primarily affects confidentiality, with potential for complete disclosure of resources within the impacted component (Snyk).

There is no fixed version available for get-git-data. Users are advised to either implement their own input validation before passing arguments to the package or consider using alternative packages with proper security implementations (Snyk).