CVE-2025-59433: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59433 affects the @conventional-changelog/git-client package prior to version 2.0.0. The vulnerability was discovered and disclosed on September 20, 2025. This argument injection vulnerability exists in the library's getTags() API, which allows extra parameters to be passed to the git log command (GitHub Advisory).

The vulnerability stems from improper handling of command-line parameters in the getTags() API. Unlike the getRawCommits() API which implements secure practices by using the special shell syntax '--' to prevent argument injection, getTags() lacks proper input sanitization, parameter validation, and allowlist restrictions. Additionally, it fails to properly use double-dash POSIX characters to indicate the end of options when passing command-line flags to the git binary. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability allows attackers to exploit the --output= command-line option in Git to overwrite arbitrary files on the system. While the scope is limited to writing files with git log output, it can be used to overwrite any file on the system, including sensitive files like .env or critical system configurations in /etc when the application runs with elevated privileges (GitHub Advisory).

The vulnerability has been patched in version 2.0.0 of @conventional-changelog/git-client. Users should upgrade to this version or later to mitigate the risk. The fix removes the ability to pass additional git parameters for security reasons (GitHub Commit).