SCA: security update for @conventional-changelog/git-client (GHSA-vh25-5764-9wcr)

medium Tenable Cloud Security Plugin ID 435390

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Conventional Changelog generates changelogs and release notes from a project's commit messages and
metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection
vulnerability. This vulnerability manifests with the library's getTags() API, which allows extra
parameters to be passed to the git log command. In another API by this library, getRawCommits(), there are
secure practices taken to ensure that the extra parameter path is unable to inject an argument by ending
the git log command with the special shell syntax --. However, the library does not follow the same
practice for getTags() as it does not attempt to sanitize for user input, validate the given params, or
restrict them to an allow list. Nor does it properly pass command-line flags to the git binary using the
double-dash POSIX characters (--) to communicate the end of options. Thus, allowing users to exploit an
argument injection vulnerability in Git due to the --output= command-line option that results with
overwriting arbitrary files. This issue has been patched in version 2.0.0. (CVE-2025-59433)

See Also

https://github.com/advisories/GHSA-vh25-5764-9wcr

Plugin Details

Severity: Medium

ID: 435390

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 9/22/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.46

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:H/Au:M/C:P/I:P/A:C

CVSS Score Source: CVE-2025-59433

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/22/2025

Vulnerability Publication Date: 9/22/2025

Reference Information

CVE: CVE-2025-59433

cwe: CWE-88