CVE-2025-24959 (CNNVD-202502-213)
中文标题:
zx 代码注入漏洞
英文标题:
Environment Variable Injection for dotenv API in zx
漏洞描述
中文描述:
zx是Google开源的一个编写脚本的工具。 zx 8.3.1版本存在代码注入漏洞,该漏洞源于存在环境变量注入漏洞,会导致命令执行或异常行为。
英文描述:
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before usage.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| zx | >= 8.3.0, < 8.3.2 | - | - |
cpe:2.3:a:google:zx:>=_8.3.0,_<_8.3.2:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
LOWCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-24959 |
2025-11-11 15:23:10 | 2025-11-11 07:40:15 |
| NVD | nvd_CVE-2025-24959 |
2025-11-11 15:00:41 | 2025-11-11 07:48:06 |
| CNNVD | cnnvd_CNNVD-202502-213 |
2025-11-11 15:12:33 | 2025-11-11 07:59:32 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 代码注入
- cnnvd_id: 未提取 -> CNNVD-202502-213
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']