CVE-2025-25975 – A vulnerability in parse-git-config v3.0.0 allo... (How to Fix)

Q: What is the severity of CVE-2025-25975?

CVE-2025-25975 has a CVSS score of 7.5 (HIGH). A vulnerability in parse-git-config v3.0.0 allows attackers to read sensitive information from git configuration files through improper handling in the expandKeys function. This affects applications using this library to parse git configurations, potentially exposing credentials and repository metadata. Developers using parse-git-config in their projects are primarily impacted.

📋 TL;DR

A vulnerability in parse-git-config v3.0.0 allows attackers to read sensitive information from git configuration files through improper handling in the expandKeys function. This affects applications using this library to parse git configurations, potentially exposing credentials and repository metadata. Developers using parse-git-config in their projects are primarily impacted.

💻 Affected Systems

Products:

parse-git-config

Versions: Version 3.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use parse-git-config library to process untrusted git configuration files.

📦 What is this software?

Parse Git Config by Jonschlinkert

View all CVEs affecting Parse Git Config →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract git credentials, SSH keys, API tokens, and other sensitive configuration data stored in git config files, leading to unauthorized repository access and potential lateral movement.

🟠

Likely Case

Exposure of repository URLs, user emails, and other git configuration details that could facilitate social engineering or targeted attacks.

🟢

If Mitigated

Limited exposure of non-sensitive configuration data with proper input validation and access controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the application to process attacker-controlled git configuration files through the vulnerable library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.0.1 or later

Vendor Advisory: https://github.com/jonschlinkert/parse-git-config/issues/14

Restart Required: No

Instructions:

1. Update parse-git-config dependency to version 3.0.1 or later. 2. Run 'npm update parse-git-config' or update package.json to '^3.0.1'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize git configuration files before passing to parse-git-config library

Restrict File Access

all

Limit access to git configuration files and ensure they come from trusted sources only

🧯 If You Can't Patch

Implement strict input validation for git configuration files
Monitor for suspicious access patterns to git configuration data

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for parse-git-config version 3.0.0

Check Version:

npm list parse-git-config

Verify Fix Applied:

Verify parse-git-config version is 3.0.1 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

Unexpected access to git configuration files
Multiple failed parsing attempts of git config

Network Indicators:

Unusual git operations from unexpected sources

SIEM Query:

source="application_logs" AND ("parse-git-config" OR "git config") AND error

📊 Metadata

CVE ID: CVE-2025-25975

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: March 12, 2025

Last Updated: April 2, 2025

🔗 References

https://github.com/jonschlinkert/parse-git-config/issues/14 Exploit,Issue Tracking
https://github.com/jonschlinkert/parse-git-config/issues/14 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25975, you might also want to check these: