CVE-2025-25975
Published: 12 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25975 is a vulnerability in parse-git-config version 3.0.0 that allows an attacker to obtain sensitive information through the expandKeys function. This issue falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to significant confidentiality impact.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables the attacker to disclose sensitive information handled by the affected component.
The vulnerability is tracked and discussed in GitHub issue #14 for the parse-git-config repository at https://github.com/jonschlinkert/parse-git-config/issues/14. No specific mitigation or patch details are provided in the referenced advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote, unauthenticated network vulnerability in a library that can be exploited in public-facing applications to disclose sensitive information, directly mapping to T1190 Exploit Public-Facing Application.