CVE-2025-59433

Name of the Vulnerable Software and Affected Versions Conventional Changelog versions prior to 2.0.0

Description The @conventional-changelog/git-client library, versions prior to 2.0.0, contains a flaw in the getTags() API that allows for argument injection into the git log command. This occurs because the API does not sanitize user input, validate parameters, or properly use the double-dash POSIX characters (--) to signal the end of options when passing command-line flags to the git binary. Specifically, the --output= command-line option can be exploited to overwrite arbitrary files. The getRawCommits() API implements secure practices to prevent argument injection, but these practices are not applied to getTags(). An exploit involves providing malicious parameters to the getTags() function, potentially leading to the creation or overwriting of files on the system, including sensitive configuration files if the application is running with elevated privileges.

Recommendations Update to Conventional Changelog version 2.0.0 or later.