CVE-2025-25975

HIGH

parse-git-config 3.0.0 - Exposure of Sensitive Information via expandKeys Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-25975. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate both vulnerable and protected scenarios using the Aikido Zen Firewall.

Description

An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function

Exploits (1)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2025-25975

View Code ZIP pw:eip

This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate both vulnerable and protected scenarios using the Aikido Zen Firewall.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Node.js applications using @enspirit/elo and st modules

No auth needed

Prerequisites: Node.js environment · Docker for containerized testing

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Issue Tracking

https://github.com/jonschlinkert/parse-git-config/issues/14

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

jonschlinkert/parse-git-config 3.0.0

npm/parse-git-config 0npm

Published Mar 12, 2025

Tracked Since Feb 18, 2026