{
  "schema_version": "1.4.0",
  "id": "GHSA-qwp8-x4ff-5h87",
  "modified": "2025-02-04T17:29:11Z",
  "published": "2025-02-03T22:34:08Z",
  "aliases": [
    "CVE-2025-24959"
  ],
  "summary": "ZX Allows Environment Variable Injection for dotenv API",
  "details": "### Impact\nThis vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx`  version **8.3.1**.\n\nAn attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to **arbitrary command execution** or **unexpected behavior** in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable.\n\n### Patches\nThis issue has been **patched** in version **8.3.2**. Users should **immediately upgrade** to this version to mitigate the vulnerability.\n\n### Workarounds\nIf upgrading is not feasible, users can mitigate the vulnerability by **sanitizing user-controlled environment variable values** before passing them to `dotenv.stringify`. Specifically, avoid using `\"`, `'`, and backticks in values, or enforce strict validation of environment variables before usage.\n\n### References\n- [Issue Report](https://github.com/google/zx/issues/)\n- [Security Policy](https://github.com/google/zx/security/policy)\n- [Google Vulnerability Disclosure](https://g.co/vulnz)\n- [Patch](https://github.com/google/zx/pull/1094)",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zx"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "8.3.1"
            },
            {
              "fixed": "8.3.2"
            }
          ]
        }
      ],
      "versions": [
        "8.3.1"
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/security/advisories/GHSA-qwp8-x4ff-5h87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24959"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/pull/1094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/commit/5ba714d14ecf0555a74d4db96622840ac19839c5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/google/zx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpod/envapi/blob/v0.2.1/src/main/ts/envapi.ts#L74-L77"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T22:34:08Z",
    "nvd_published_at": "2025-02-03T21:15:15Z"
  }
}