parse-git-config CVE-2025-25975
Prototype Pollution in parse-git-config via expandKeys.
The problem
parse-git-config <= 3.0.0 (all published versions) is affected by
CVE-2025-25975 (CWE-1321 Prototype Pollution). The published package has
no fix available — exactly what npm audit reports. parse-git-config's expandKeys() turns git-config section names into nested objects. With no guard on reserved keys, a crafted .git/config (e.g. from an untrusted repository) parsed with expandKeys:true could mutate Object.prototype for the whole process.
The fix — drop-in, no code changes
Add an overrides entry so every direct and transitive dependency on
parse-git-config resolves to the patched fork, then reinstall:
{
"overrides": {
"parse-git-config": "npm:@keep-lts/parse-git-config@^3.0.1"
}
}Equivalent for Yarn: use resolutions. The public API is unchanged — nothing else to do.
✓ Live on npm: @keep-lts/parse-git-config · or install directly: npm i @keep-lts/parse-git-config
What we changed
Section and subsection names that resolve to __proto__, constructor, or prototype are dropped. Legitimate git configuration is unaffected (no real .gitconfig has a section literally named __proto__).
Proof of concept (the vulnerability)
const parse = require('parse-git-config');
parse.expandKeys({ '__proto__ "isPolluted"': true });
console.log(({}).isPolluted); // => true on the unpatched version@keep-lts/parse-git-config@3.0.1How we keep it trustworthy
- Minimal, surgical patch — security only, no feature changes.
- A regression test that fails on the original and passes on the patch; legitimate behaviour preserved.
- Published under the
@keep-ltsorg with the full advisory and tests inside the package; upstream license & attribution retained.
Full advisory and changelog ship inside the package (SECURITY.md, CHANGELOG.md).