CVE-2025-59433
📋 TL;DR
CVE-2025-59433 is an argument injection vulnerability in @conventional-changelog/git-client's getTags() API that allows attackers to pass malicious parameters to the git log command. This can lead to arbitrary file overwrite via Git's --output option. Developers using affected versions of conventional-changelog for automated changelog generation are impacted.
💻 Affected Systems
- @conventional-changelog/git-client
- conventional-changelog
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file overwrite leading to remote code execution or data destruction.
Likely Case
Local file corruption or overwrite in the context of the application's user permissions.
If Mitigated
Limited impact due to restricted user permissions or input validation in wrapper code.
🎯 Exploit Status
Exploitation requires control over parameters passed to getTags() API and knowledge of the target system's file structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://github.com/conventional-changelog/conventional-changelog/security/advisories/GHSA-vh25-5764-9wcr
Restart Required: No
Instructions:
1. Update @conventional-changelog/git-client to version 2.0.0 or later. 2. Run 'npm update @conventional-changelog/git-client' or update package.json to specify '^2.0.0'. 3. Rebuild and redeploy affected applications.
🔧 Temporary Workarounds
Input validation wrapper
allImplement strict input validation for parameters passed to getTags() API
// Validate that params only contain allowed characters
// Example: allow only alphanumeric, hyphens, underscores
const safeParams = params.replace(/[^a-zA-Z0-9-_]/g, '')
🧯 If You Can't Patch
- Restrict user input to the getTags() API to only trusted, hardcoded values
- Run the application with minimal file system permissions to limit damage scope
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for @conventional-changelog/git-client version below 2.0.0Check Version:
npm list @conventional-changelog/git-client | grep @conventional-changelog/git-clientVerify Fix Applied:
Verify installed version is 2.0.0 or higher using npm list @conventional-changelog/git-client📡 Detection & Monitoring
Log Indicators:
- Unexpected git log commands with --output parameter
- File permission errors or unexpected file modifications
Network Indicators:
- None - this is a local command injection vulnerability
SIEM Query:
Process execution monitoring for git log with suspicious --output parameters