CVE-2025-59433: @conventional-changelog/git-client has Argument Injection vulnerability
While the scope is only limited to writing a file with input from the git log result, it still allows to specify and overwrite any arbitrary files on disk, such as .env or as far as critical system configuration at /etc if the application is running as privileged root user.
It may be the library’s design choice to expose a generic params object to allow any consuming users to specify random Git command line arguments, however it could be abused by attackers when developers aren’t aware of the security risks which aren’t communicated. As such, I recommend not ignoring, and either patching this insecure design gap with hardened secure coding practices (like in other APIs mentioned previously) or adding a security disclaimer to this library’s documentation.
References
- github.com/advisories/GHSA-vh25-5764-9wcr
- github.com/conventional-changelog/conventional-changelog
- github.com/conventional-changelog/conventional-changelog/commit/d95c9ffac05af58228bd89fa0ba37ad65741c6a2
- github.com/conventional-changelog/conventional-changelog/security/advisories/GHSA-vh25-5764-9wcr
- nvd.nist.gov/vuln/detail/CVE-2025-59433
Code Behaviors & Features
Detect and mitigate CVE-2025-59433 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →