CVE-2025-24959: ZX Allows Environment Variable Injection for dotenv API
5.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.28139%
CWE
Published
2/3/2025
Updated
2/4/2025
KEV Status
No
Technology
JavaScript
JavaScriptTechnical Details
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| zx | npm | = 8.3.1 | 8.3.2 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from envapi's stringify function handling of environment variable values. The pre-patch version (0.2.1) shown in the reference code uses a formatValue function that prioritizes quote selection without proper escaping/sanitization. This allowed attackers to inject additional environment variables via controlled values containing unescaped quotes/backticks. The zx package's dependency on vulnerable envapi versions (<=0.2.1) made its dotenv.stringify function vulnerable. The patch updated envapi to 0.2.3 which likely added proper input validation/sanitization.