CVE-2025-24959: 
JavaScript vulnerability analysis and mitigation

zx is a tool for writing better scripts that was found to contain a vulnerability (CVE-2025-24959) in version 8.3.1. The vulnerability was discovered and disclosed in February 2025, affecting the dotenv.stringify functionality. The issue allows attackers with control over environment variable values to inject unintended environment variables into process.env (GitHub Advisory).

The vulnerability is an Environment Variable Injection issue in the dotenv.stringify API. When processing environment variables, the function fails to properly validate input values, allowing injection of malicious content through special characters like quotes and backticks. This vulnerability received a CVSS v3.1 base score of 5.2 (Moderate) with the following vector: AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly at risk. The impact is primarily focused on availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 8.3.2, and users are strongly advised to upgrade to this version. For cases where immediate upgrading is not possible, users can implement workarounds by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. This includes avoiding the use of quotes and backticks in values and implementing strict validation of environment variables before usage (GitHub Advisory).