Low severityNVD Advisory· Published Feb 3, 2025· Updated Apr 15, 2026

CVE-2025-24959

Description

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. Specifically, avoid using ", ', and backticks in values, or enforce strict validation of environment variables before usage.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
zxnpm	>= 8.3.1, < 8.3.2	8.3.2

Patches

5ba714d14ecf

fix: check user input on `dotenv.stringify` (#1094)

https://github.com/google/zxAnton GolubFeb 1, 2025via ghsa

commit

2 files changed · +8 −8

package.json+2 −2 modified

@@ -1,6 +1,6 @@
 {
   "name": "zx",
-  "version": "8.4.0",
+  "version": "8.3.2",
   "description": "A tool for writing better scripts",
   "type": "module",
   "main": "./build/index.cjs",
@@ -110,7 +110,7 @@
     "cronometro": "^4.0.3",
     "depseek": "^0.4.1",
     "dts-bundle-generator": "^9.5.1",
-    "envapi": "^0.2.1",
+    "envapi": "^0.2.3",
     "esbuild": "^0.24.2",
     "esbuild-node-externals": "^1.16.0",
     "esbuild-plugin-entry-chunks": "^0.1.15",

package-lock.json+6 −6 modified

@@ -1,12 +1,12 @@
 {
   "name": "zx",
-  "version": "8.4.0",
+  "version": "8.3.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "zx",
-      "version": "8.4.0",
+      "version": "8.3.2",
       "license": "Apache-2.0",
       "bin": {
         "zx": "build/cli.js"
@@ -25,7 +25,7 @@
         "cronometro": "^4.0.3",
         "depseek": "^0.4.1",
         "dts-bundle-generator": "^9.5.1",
-        "envapi": "^0.2.1",
+        "envapi": "^0.2.3",
         "esbuild": "^0.24.2",
         "esbuild-node-externals": "^1.16.0",
         "esbuild-plugin-entry-chunks": "^0.1.15",
@@ -3030,9 +3030,9 @@
       }
     },
     "node_modules/envapi": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/envapi/-/envapi-0.2.1.tgz",
-      "integrity": "sha512-gWPqNxnV4PltW0jJk8qNGD7LVU5rXvZPNYt0kwLjKTNOYUkFeLjykpeNpXQycTSGdTgqj8r7tQDJIre62t9tJw==",
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/envapi/-/envapi-0.2.3.tgz",
+      "integrity": "sha512-kSPSecU+/eH0IajEYZ/LndeBjzSBmLyp/SZFgx8Zgyeu0SoGioHkICOOVJgJLaX/rqZrCrQ+eDxiaYNVcyCsbQ==",
       "dev": true,
       "license": "MIT"
     },

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qwp8-x4ff-5h87ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-24959ghsaADVISORY
github.com/google/zx/commit/5ba714d14ecf0555a74d4db96622840ac19839c5ghsaWEB
github.com/google/zx/pull/1094nvdWEB
github.com/google/zx/security/advisories/GHSA-qwp8-x4ff-5h87nvdWEB
github.com/webpod/envapi/blob/v0.2.1/src/main/ts/envapi.tsghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000