CVE-2023-49210: 
JavaScript vulnerability analysis and mitigation

The openssl (aka node-openssl) NPM package through version 2.0.0 contains a critical command injection vulnerability. The package, which was described by its author as 'a nonsense wrapper with no real purpose,' accepts an opts argument containing a verb field that can be exploited for arbitrary command execution. This vulnerability affects all versions up to and including 2.0.0, and notably, the package is no longer supported by its maintainer (NVD, CVE-MITRE).

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command Injection). The package's exported openssl() function in index.js accepts an 'opts' argument which contains a 'verb' field that can be used to inject malicious commands. The CVSS v3.1 base score is 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD, GitHub-Gist).

The vulnerability allows attackers to execute arbitrary commands on the system running the affected package. Due to the command injection nature of the vulnerability, an attacker can potentially achieve full system compromise, leading to unauthorized access, data theft, or system manipulation (NVD).

Since the package is no longer supported by its maintainer, users are advised to immediately remove this package from their dependencies and seek alternative solutions. The package has been deprecated on the NPM registry with a notice indicating it is no longer supported (NPM-Package).