Vulnerable Library - zx-8.3.0.tgz

A tool for writing better scripts

Library home page: https://registry.npmjs.org/zx/-/zx-8.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2025-24959

Vulnerable Library - zx-8.3.0.tgz

A tool for writing better scripts

Library home page: https://registry.npmjs.org/zx/-/zx-8.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ zx-8.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into "process.env". This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through "dotenv.stringify" are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to "dotenv.stringify". Specifically, avoid using """, "'", and backticks in values, or enforce strict validation of environment variables before usage.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-02-03

URL: CVE-2025-24959

CVSS 3 Score Details (5.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwp8-x4ff-5h87

Release Date: 2025-02-03

Fix Resolution: zx - 8.3.2

Step up your Open Source Security Game with Mend here