UBUNTU-CVE-2025-24959

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-24959

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-24959.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-24959

Related

CVE-2025-24959

Published

2025-02-03T21:15:00Z

Modified

2025-02-06T16:36:57Z

Summary

[none]

Details

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. Specifically, avoid using ", ', and backticks in values, or enforce strict validation of environment variables before usage.

References

Affected packages

Ubuntu:24.10 / node-zx

Package

Name: node-zx
Purl: pkg:deb/ubuntu/node-zx@7.1.1+~cs6.7.23-3?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.1.1+~cs6.7.23-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / node-zx

Package

Name: node-zx
Purl: pkg:deb/ubuntu/node-zx@7.1.1+~cs6.7.23-3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.1.1+~cs6.7.23-2

7.1.1+~cs6.7.23-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}