{"id":"CVE-2025-59433","summary":"@conventional-changelog/git-client has an Argument Injection vulnerability","details":"Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags() API, which allows extra parameters to be passed to the git log command. In another API by this library, getRawCommits(), there are secure practices taken to ensure that the extra parameter path is unable to inject an argument by ending the git log command with the special shell syntax --. However, the library does not follow the same practice for getTags() as it does not attempt to sanitize for user input, validate the given params, or restrict them to an allow list. Nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. Thus, allowing users to exploit an argument injection vulnerability in Git due to the --output= command-line option that results with overwriting arbitrary files. This issue has been patched in version 2.0.0.","aliases":["GHSA-vh25-5764-9wcr"],"modified":"2026-04-10T05:33:24.830518Z","published":"2025-09-22T19:14:54.237Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59433.json","cwe_ids":["CWE-88"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59433.json"},{"type":"ADVISORY","url":"https://github.com/conventional-changelog/conventional-changelog/security/advisories/GHSA-vh25-5764-9wcr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59433"},{"type":"FIX","url":"https://github.com/conventional-changelog/conventional-changelog/commit/d95c9ffac05af58228bd89fa0ba37ad65741c6a2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/conventional-changelog/conventional-changelog","events":[{"introduced":"0"},{"fixed":"ce1fd981f88ce201e996dfa833e4682de3aafcdd"}]}],"versions":["conventional-changelog-angular@1.3.1","conventional-changelog-angular@1.3.2","conventional-changelog-angular@1.3.3","conventional-changelog-angular@1.4.0","conventional-changelog-angular@1.5.0","conventional-changelog-angular@1.5.1","conventional-changelog-angular@1.5.2","conventional-changelog-angular@1.5.3","conventional-changelog-angular@1.6.0","conventional-changelog-angular@1.6.1","conventional-changelog-angular@1.6.2","conventional-changelog-angular@1.6.3","conventional-changelog-angular@1.6.4","conventional-changelog-angular@1.6.5","conventional-changelog-angular@1.6.6","conventional-changelog-angular@3.0.0","conventional-changelog-angular@3.0.1","conventional-changelog-angular@3.0.2","conventional-changelog-angular@3.0.3","conventional-changelog-angular@3.0.4","conventional-changelog-angular@3.0.5","conventional-changelog-angular@3.0.6","conventional-changelog-angular@3.0.7","conventional-changelog-atom@0.1.1","conventional-changelog-atom@0.1.2","conventional-changelog-atom@0.2.0","conventional-changelog-atom@0.2.1","conventional-changelog-atom@0.2.2","conventional-changelog-atom@0.2.3","conventional-changelog-atom@0.2.4","conventional-changelog-atom@0.2.5","conventional-changelog-atom@0.2.6","conventional-changelog-atom@0.2.7","conventional-changelog-atom@0.2.8","conventional-changelog-cli@1.2.0","conventional-changelog-cli@1.2.1","conventional-changelog-cli@1.3.0","conventional-changelog-cli@1.3.1","conventional-changelog-cli@1.3.10","conventional-changelog-cli@1.3.11","conventional-changelog-cli@1.3.12","conventional-changelog-cli@1.3.13","conventional-changelog-cli@1.3.14","conventional-changelog-cli@1.3.15","conventional-changelog-cli@1.3.16","conventional-changelog-cli@1.3.17","conventional-changelog-cli@1.3.18","conventional-changelog-cli@1.3.19","conventional-changelog-cli@1.3.2","conventional-changelog-cli@1.3.20","conventional-changelog-cli@1.3.21","conventional-changelog-cli@1.3.22","conventional-changelog-cli@1.3.3","conventional-changelog-cli@1.3.4","conventional-changelog-cli@1.3.5","conventional-changelog-cli@1.3.6","conventional-changelog-cli@1.3.7","conventional-changelog-cli@1.3.8","conventional-changelog-cli@1.3.9","conventional-changelog-codemirror@0.2.0","conventional-changelog-codemirror@0.2.1","conventional-changelog-codemirror@0.3.0","conventional-changelog-codemirror@0.3.1","conventional-changelog-codemirror@0.3.2","conventional-changelog-codemirror@0.3.3","conventional-changelog-codemirror@0.3.4","conventional-changelog-codemirror@0.3.5","conventional-changelog-codemirror@0.3.6","conventional-changelog-codemirror@0.3.7","conventional-changelog-codemirror@0.3.8","conventional-changelog-core@1.5.0","conventional-changelog-core@1.6.0","conventional-changelog-core@1.7.0","conventional-changelog-core@1.8.0","conventional-changelog-core@1.9.0","conventional-changelog-core@1.9.1","conventional-changelog-core@1.9.2","conventional-changelog-core@1.9.3","conventional-changelog-core@1.9.4","conventional-changelog-core@1.9.5","conventional-changelog-core@2.0.0","conventional-changelog-core@2.0.1","conventional-changelog-core@2.0.10","conventional-changelog-core@2.0.11","conventional-changelog-core@2.0.2","conventional-changelog-core@2.0.3","conventional-changelog-core@2.0.4","conventional-changelog-core@2.0.5","conventional-changelog-core@2.0.6","conventional-changelog-core@2.0.7","conventional-changelog-core@2.0.8","conventional-changelog-core@2.0.9","conventional-changelog-ember@0.2.10","conventional-changelog-ember@0.2.3","conventional-changelog-ember@0.2.4","conventional-changelog-ember@0.2.5","conventional-changelog-ember@0.2.6","conventional-changelog-ember@0.2.7","conventional-changelog-ember@0.2.8","conventional-changelog-ember@0.2.9","conventional-changelog-ember@0.3.0","conventional-changelog-ember@0.3.1","conventional-changelog-ember@0.3.10","conventional-changelog-ember@0.3.11","conventional-changelog-ember@0.3.12","conventional-changelog-ember@0.3.2","conventional-changelog-ember@0.3.3","conventional-changelog-ember@0.3.4","conventional-changelog-ember@0.3.5","conventional-changelog-ember@0.3.6","conventional-changelog-ember@0.3.7","conventional-changelog-ember@0.3.8","conventional-changelog-ember@0.3.9","conventional-changelog-eslint@0.2.0","conventional-changelog-eslint@0.2.1","conventional-changelog-eslint@0.3.0","conventional-changelog-eslint@1.0.0","conventional-changelog-eslint@1.0.1","conventional-changelog-eslint@1.0.2","conventional-changelog-eslint@1.0.3","conventional-changelog-eslint@1.0.4","conventional-changelog-eslint@1.0.5","conventional-changelog-eslint@1.0.6","conventional-changelog-eslint@1.0.7","conventional-changelog-eslint@1.0.8","conventional-changelog-eslint@1.0.9","conventional-changelog-express@0.2.0","conventional-changelog-express@0.2.1","conventional-changelog-express@0.3.0","conventional-changelog-express@0.3.1","conventional-changelog-express@0.3.2","conventional-changelog-express@0.3.3","conventional-changelog-express@0.3.4","conventional-changelog-express@0.3.5","conventional-changelog-express@0.3.6","conventional-changelog-jquery@1.2.0","conventional-changelog-jquery@1.2.1","conventional-changelog-jquery@1.3.0","conventional-changelog-jquery@1.3.1","conventional-changelog-jquery@1.3.2","conventional-changelog-jquery@1.3.3","conventional-changelog-jquery@1.3.4","conventional-changelog-jquery@1.3.5","conventional-changelog-jquery@1.3.6","conventional-changelog-jquery@1.3.7","conventional-changelog-jquery@1.3.8","conventional-changelog-jquery@1.3.9","conventional-changelog-jshint@0.2.0","conventional-changelog-jshint@0.2.1","conventional-changelog-jshint@0.3.0","conventional-changelog-jshint@0.3.1","conventional-changelog-jshint@0.3.2","conventional-changelog-jshint@0.3.3","conventional-changelog-jshint@0.3.4","conventional-changelog-jshint@0.3.5","conventional-changelog-jshint@0.3.6","conventional-changelog-jshint@0.3.7","conventional-changelog-jshint@0.3.8","conventional-changelog-preset-loader@1.1.0","conventional-changelog-preset-loader@1.1.1","conventional-changelog-preset-loader@1.1.2","conventional-changelog-preset-loader@1.1.3","conventional-changelog-preset-loader@1.1.4","conventional-changelog-preset-loader@1.1.5","conventional-changelog-preset-loader@1.1.6","conventional-changelog-preset-loader@1.1.7","conventional-changelog-preset-loader@1.1.8","conventional-changelog-writer@2.0.0","conventional-changelog-writer@2.0.1","conventional-changelog-writer@2.0.2","conventional-changelog-writer@2.0.3","conventional-changelog-writer@3.0.0","conventional-changelog-writer@3.0.1","conventional-changelog-writer@3.0.2","conventional-changelog-writer@3.0.3","conventional-changelog-writer@3.0.4","conventional-changelog-writer@3.0.5","conventional-changelog-writer@3.0.6","conventional-changelog-writer@3.0.7","conventional-changelog-writer@3.0.8","conventional-changelog-writer@3.0.9","conventional-changelog@1.1.1","conventional-changelog@1.1.10","conventional-changelog@1.1.11","conventional-changelog@1.1.12","conventional-changelog@1.1.13","conventional-changelog@1.1.14","conventional-changelog@1.1.15","conventional-changelog@1.1.16","conventional-changelog@1.1.17","conventional-changelog@1.1.18","conventional-changelog@1.1.19","conventional-changelog@1.1.2","conventional-changelog@1.1.20","conventional-changelog@1.1.21","conventional-changelog@1.1.22","conventional-changelog@1.1.23","conventional-changelog@1.1.24","conventional-changelog@1.1.3","conventional-changelog@1.1.4","conventional-changelog@1.1.5","conventional-changelog@1.1.6","conventional-changelog@1.1.7","conventional-changelog@1.1.8","conventional-changelog@1.1.9","conventional-commits-filter@1.1.0","conventional-commits-filter@1.1.1","conventional-commits-filter@1.1.2","conventional-commits-filter@1.1.3","conventional-commits-filter@1.1.4","conventional-commits-filter@1.1.5","conventional-commits-filter@1.1.6","conventional-commits-parser@2.0.0","conventional-commits-parser@2.0.1","conventional-commits-parser@2.1.0","conventional-commits-parser@2.1.1","conventional-commits-parser@2.1.2","conventional-commits-parser@2.1.3","conventional-commits-parser@2.1.4","conventional-commits-parser@2.1.5","conventional-commits-parser@2.1.6","conventional-commits-parser@2.1.7","conventional-recommended-bump@1.0.0","conventional-recommended-bump@1.0.1","conventional-recommended-bump@1.0.2","conventional-recommended-bump@1.0.3","conventional-recommended-bump@1.1.0","conventional-recommended-bump@1.2.0","conventional-recommended-bump@1.2.1","conventional-recommended-bump@2.0.0","conventional-recommended-bump@2.0.1","conventional-recommended-bump@2.0.2","conventional-recommended-bump@2.0.3","conventional-recommended-bump@2.0.4","conventional-recommended-bump@2.0.5","conventional-recommended-bump@2.0.6","conventional-recommended-bump@2.0.7","conventional-recommended-bump@2.0.8","conventional-recommended-bump@2.0.9","git-raw-commits@1.2.0","git-raw-commits@1.3.0","git-raw-commits@1.3.1","git-raw-commits@1.3.2","git-raw-commits@1.3.3","git-raw-commits@1.3.4","git-raw-commits@1.3.5","git-raw-commits@1.3.6","git-semver-tags@1.2.0","git-semver-tags@1.2.1","git-semver-tags@1.2.2","git-semver-tags@1.2.3","git-semver-tags@1.3.0","git-semver-tags@1.3.1","git-semver-tags@1.3.2","git-semver-tags@1.3.3","git-semver-tags@1.3.4","git-semver-tags@1.3.5","git-semver-tags@1.3.6","gulp-conventional-changelog@1.1.0","gulp-conventional-changelog@1.1.1","gulp-conventional-changelog@1.1.10","gulp-conventional-changelog@1.1.11","gulp-conventional-changelog@1.1.12","gulp-conventional-changelog@1.1.13","gulp-conventional-changelog@1.1.14","gulp-conventional-changelog@1.1.15","gulp-conventional-changelog@1.1.16","gulp-conventional-changelog@1.1.17","gulp-conventional-changelog@1.1.18","gulp-conventional-changelog@1.1.19","gulp-conventional-changelog@1.1.2","gulp-conventional-changelog@1.1.20","gulp-conventional-changelog@1.1.21","gulp-conventional-changelog@1.1.22","gulp-conventional-changelog@1.1.23","gulp-conventional-changelog@1.1.24","gulp-conventional-changelog@1.1.3","gulp-conventional-changelog@1.1.4","gulp-conventional-changelog@1.1.5","gulp-conventional-changelog@1.1.6","gulp-conventional-changelog@1.1.7","gulp-conventional-changelog@1.1.8","gulp-conventional-changelog@1.1.9","standard-changelog@0.0.2","standard-changelog@1.0.0","standard-changelog@1.0.1","standard-changelog@1.0.10","standard-changelog@1.0.11","standard-changelog@1.0.12","standard-changelog@1.0.13","standard-changelog@1.0.14","standard-changelog@1.0.15","standard-changelog@1.0.16","standard-changelog@1.0.17","standard-changelog@1.0.18","standard-changelog@1.0.19","standard-changelog@1.0.2","standard-changelog@1.0.3","standard-changelog@1.0.4","standard-changelog@1.0.5","standard-changelog@1.0.6","standard-changelog@1.0.7","standard-changelog@1.0.8","standard-changelog@1.0.9","v0.0.10","v0.0.11","v0.0.13","v0.0.14","v0.0.15","v0.0.16","v0.0.17","v0.0.4","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.0-alpha.1","v0.1.0-alpha.2","v0.1.0-alpha.3","v0.1.0-beta.1","v0.1.0-beta.2","v0.1.0-beta.3","v0.1.1","v0.1.2","v0.1.3","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v1.0.0","v1.0.1","v1.0.2","v1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H"}]}