CVE-2025-24959 – Environment Variable Injection for dotenv API in zx

https://notcve.org/view.php?id=CVE-2025-24959

03 Feb 2025 — zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. This issue has been patched in version 8.3.2. • https://github.com/google/zx/pull/1094 • CWE-94: Improper Control of Generation of Code ('Code Injection') •