CVE-2025-24959
February 03, 2025
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into "process.env". This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through "dotenv.stringify" are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to "dotenv.stringify". Specifically, avoid using """, "'", and backticks in values, or enforce strict validation of environment variables before usage.
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
1
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
ACTIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.2
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
EPSS
Base Score:
0.09
