CVE-2025-24959: ZX Allows Environment Variable Injection for dotenv API
(updated )
This vulnerability is an Environment Variable Injection issue in dotenv.stringify, affecting google/zx version 8.3.1.
An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable.
References
- github.com/advisories/GHSA-qwp8-x4ff-5h87
- github.com/google/zx
- github.com/google/zx/commit/5ba714d14ecf0555a74d4db96622840ac19839c5
- github.com/google/zx/pull/1094
- github.com/google/zx/security/advisories/GHSA-qwp8-x4ff-5h87
- github.com/webpod/envapi/blob/v0.2.1/src/main/ts/envapi.ts
- nvd.nist.gov/vuln/detail/CVE-2025-24959
Detect and mitigate CVE-2025-24959 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →