CVE-2025-59433
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| conventional-changelog | git-client | 2.0.0 |
| conventional-changelog | git-client | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59433 is an argument injection vulnerability in the @conventional-changelog/git-client library versions prior to 2.0.0. Specifically, the getTags() API accepts extra parameters that are passed directly to the underlying git log command without proper sanitization or validation. Unlike the getRawCommits() API, getTags() does not use the POSIX double-dash (--) syntax to prevent injection, allowing attackers to inject arbitrary git command-line arguments such as --output=. This can lead to overwriting arbitrary files on the filesystem if exploited. The vulnerability was fixed in version 2.0.0 by removing the ability to pass arbitrary extra git parameters and enforcing strict parameter validation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject arbitrary command-line arguments into git commands executed by the library, potentially overwriting critical files on the filesystem such as configuration files (.env) or system files (/etc) if the application runs with elevated privileges. This can lead to denial of service or compromise of system integrity and availability. The CVSS score indicates moderate severity with high impact on availability and requires high privileges and user interaction to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your project uses @conventional-changelog/git-client versions prior to 2.0.0, especially version 1.0.1, and if the getTags() API is called with extra parameters that could be passed to git log commands. You can inspect your codebase for usage of getTags() with additional parameters. Additionally, monitoring for unexpected file overwrites (e.g., files like /tmp/r2d2 or critical system files) caused by git log commands with unusual --output= options may indicate exploitation attempts. There are no specific commands provided to detect this vulnerability directly, but you can search your code for calls to getTags() with parameters and check your system logs for suspicious git command executions or file modifications. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the @conventional-changelog/git-client package to version 2.0.0 or later, where the vulnerability is patched by removing the ability to pass arbitrary extra git parameters to the getTags() API and other git commands. If upgrading is not immediately possible, avoid passing extra parameters to getTags() and audit your code to ensure no untrusted input is passed to this API. Additionally, inform developers about the risks of passing arbitrary parameters to git commands and restrict privileges of processes using this library to minimize potential impact. [1, 2]