Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-24959

Good to know:

icon

Date: February 3, 2025

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into "process.env". This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through "dotenv.stringify" are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to "dotenv.stringify". Specifically, avoid using """, "'", and backticks in values, or enforce strict validation of environment variables before usage.

Severity Score

Related Resources (7)

https://github.com/google/zx/commit/5ba714d14ecf0555a74d4db96622840ac19839c5
https://github.com/google/zx/security/advisories/GHSA-qwp8-x4ff-5h87
https://github.com/webpod/envapi/blob/v0.2.1/src/main/ts/envapi.ts#L74-L77
https://github.com/google/zx/pull/1094
https://github.com/google/zx
https://nvd.nist.gov/vuln/detail/CVE-2025-24959
https://www.mend.io/vulnerability-database/CVE-2025-24959

Severity Score

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version zx - 8.3.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us