🛡️ CVE-2025-24959
⚪ Unknown ✅ No Known Exploit CWE-94 NVD
N/A
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before usage.

Details

Severity Unknown
CVSS Score N/A
CVSS Vector N/A
CWE CWE-94
Public Exploit ✅ No
Source NVD
Published 2025-02-03
Updated 2026-06-02
Modified 2026-04-15
Fix URL N/A

Affected Packages

Software From version Fixed in
unknown
zx

Similar Threats

Site Security Check

Concerned your site may already be targeted?

BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.

Check My Site Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.