Skip to main content

CVE-2025-24959

LOW
Code Injection (CWE-94)
2025-02-03 security-advisories@github.com
1.0
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.0 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:07 vuln.today
CVE Published
Feb 03, 2025 - 21:15 nvd
LOW 1.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on zx (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 8.3.1.

DescriptionGitHub Advisory

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. Specifically, avoid using ", ', and backticks in values, or enforce strict validation of environment variables before usage.

AnalysisAI

zx is a tool for writing better scripts. Rated low severity (CVSS 1.0), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. Specifically, avoid using ", ', and backticks in values, or enforce strict validation of environment variables before usage. Version information: version 8.3.2..

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

Share

CVE-2025-24959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy