CVE-2020-7795: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2020-7795 affects the npm package get-npm-package-version versions before 1.0.7. This Command Injection vulnerability was discovered in the main function of index.js and was disclosed on December 11, 2020, with publication following on January 20, 2021. The vulnerability was identified by the JHU System Security Lab (Snyk).

The vulnerability is classified as a Command Injection (CWE-78) with a CVSS v3.1 base score of 9.8 (Critical) according to NVD, while Snyk rates it at 7.3 (High). The vulnerability has network attack vector (AV), low attack complexity (AC), requires no privileges (PR), and needs no user interaction (UI). The scope is unchanged, but it potentially affects confidentiality, integrity, and availability of the system (Snyk).

When exploited, this vulnerability could allow attackers to execute arbitrary commands on the system running the vulnerable package. The impact includes potential loss of confidentiality, integrity, and availability of the affected system, though the attacker's control over the extent of the impact may be limited (Snyk).

The recommended mitigation is to upgrade get-npm-package-version to version 1.0.7 or higher. The fix was implemented through adding input validation that checks for special characters using the regular expression /[`$&{}[;|]/g to prevent command injection attacks (GitHub Commit).