Arbitrary Command Execution Vulnerability in zx Tool by Google
CVE-2025-24959

1LOW

Key Information:

Vendor: Google
Status: Zx
Vendor: CVE Published:; 3 February 2025

Summary

The zx tool, widely used for scripting, has a vulnerability that allows an attacker to manipulate environment variable values, potentially leading to arbitrary command execution. This occurs when applications process untrusted input through dotenv.stringify, making them susceptible to unexpected behavior if they rely on environment variables for critical security functions. Users are encouraged to upgrade to version 8.3.2 to address this issue. For those unable to upgrade, it is crucial to sanitize user-controlled values carefully, avoiding characters like double quotes, single quotes, and backticks, or to enforce strict validation on environment variables prior to use.

Affected Version(s)

zx >= 8.3.0, < 8.3.2

References

https://github.com/google/zx/security/advisories/GHSA-qwp...

x_refsource_CONFIRM

https://github.com/google/zx/pull/1094

x_refsource_MISC

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 3, 2025
Vulnerability Reserved
Jan 29, 2025