Google zx Environment Variable Injection Vulnerability in dotenv API

A vulnerability allowing environment variable injection has been identified in Google zx version 8.3.1. This issue arises in the dotenv API, where an attacker can manipulate environment variable values to inject unintended variables into process.env. Such injection can lead to arbitrary command execution or unexpected behavior in applications that depend on environment variables for security-sensitive tasks. The vulnerability is particularly pronounced in applications that handle untrusted input and use dotenv.stringify, as these conditions create an opportunity for exploitation.

Impact

Exploitation of this vulnerability allows for environment variable injection, which can lead to arbitrary command execution or unexpected application behavior, especially in security-sensitive contexts.

Remediation

Users are advised to upgrade to Google zx version 8.3.2 or later. If an immediate upgrade is not possible, the vulnerability can be mitigated by sanitizing user-controlled environment variable values before passing them to dotenv.stringify. Specifically, avoid using double quotes, single quotes, backticks, or enforce strict validation of environment variables before use.