CVE-2022-29080: 
JavaScript vulnerability analysis and mitigation

The npm-dependency-versions package through version 0.3.0 for Node.js contains a command injection vulnerability. The vulnerability exists because the package fails to properly sanitize the 'pkgs' parameter before passing it to a command execution API, allowing attackers to execute arbitrary commands if they can control the input (GitHub Issue, NVD).

The vulnerability is classified as a command injection flaw (CWE-78) related to improper neutralization of special elements used in an OS command. The issue has a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability can be triggered by calling the dependencyVersions function with a JSON object containing shell metacharacters in the 'pkgs' value (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary commands on the system where the package is running. Given the CVSS score of 9.8, this indicates the potential for complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

Users should upgrade to a version newer than 0.3.0 if one is available. If upgrading is not possible, users should carefully validate and sanitize any input passed to the dependencyVersions function, particularly the 'pkgs' parameter, to prevent command injection attacks (NPM Package).