Argument Injection Vulnerability in Conventional Changelog's Git Client
CVE-2025-59433

5.3MEDIUM

Key Information:

Vendor: Conventional-changelog
Status: Conventional-changelog
Vendor: CVE Published:; 22 September 2025

🔔 Create Conventional-changelog Vulnerability Alert

What is CVE-2025-59433?

The @conventional-changelog/git-client library, prior to version 2.0.0, contains an argument injection vulnerability in its getTags() API. This flaw enables users to pass extra parameters to the git log command without proper validation or sanitation. Unlike the getRawCommits() API, which implements secure practices, the getTags() API fails to restrict user inputs or terminate command-line options correctly. This oversight allows exploitation through the --output= command-line option, potentially leading to overwriting arbitrary files. A patch has been implemented in version 2.0.0 to address this issue.

Affected Version(s)

conventional-changelog < 2.0.0

References

https://github.com/conventional-changelog/conventional-ch...

x_refsource_CONFIRM

https://github.com/conventional-changelog/conventional-ch...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Sep 15, 2025