CVE-2025-25975

Vulnerability

Overview

The parse-git-config library (v3.0.0) contains a prototype pollution vulnerability in the expandKeys function, located at index.js line 134 [1][3]. The function fails to sanitize object keys, allowing an attacker to inject properties like __proto__ into the global Object.prototype. This is a classic prototype pollution bug that can lead to unexpected behavior across the application.

Exploitation

An attacker can exploit this by supplying a crafted configuration object to expandKeys. For example, passing { '__proto__ "isPolluted"': true } will pollute the prototype chain, making {}.isPolluted return true [3]. The attack requires the attacker to control the input to expandKeys, which may occur if the library is used to parse user-supplied .git/config files or if the application exposes the function to external data. No authentication is needed if the attacker can provide such input.

Impact

Prototype pollution can escalate to more severe attacks. If the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), an attacker could achieve arbitrary code execution within the application's context [3]. Additionally, it may lead to information disclosure or denial of service, depending on how the library is integrated. The official CVE description notes that an attacker can obtain sensitive information via this function [2].

Mitigation

As of the latest release (v3.0.0), no patch has been published [1][3]. Users should avoid passing untrusted input to expandKeys or consider using an alternative library. If the library is used to parse .git/config files, ensure that the file path is controlled and not user-supplied. Monitor the GitHub repository for future updates.