CVE-2025-24959: ZX Allows Environment Variable Injection for dotenv API
(updated )
This vulnerability is an Environment Variable Injection issue in dotenv.stringify
, affecting google/zx
version 8.3.1.
An attacker with control over environment variable values can inject unintended environment variables into process.env
. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify
are particularly vulnerable.
References
- github.com/advisories/GHSA-qwp8-x4ff-5h87
- github.com/google/zx
- github.com/google/zx/commit/5ba714d14ecf0555a74d4db96622840ac19839c5
- github.com/google/zx/pull/1094
- github.com/google/zx/security/advisories/GHSA-qwp8-x4ff-5h87
- github.com/webpod/envapi/blob/v0.2.1/src/main/ts/envapi.ts
- nvd.nist.gov/vuln/detail/CVE-2025-24959
Detect and mitigate CVE-2025-24959 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →