AIKIDO-2026-10538
@dotenvx/dotenvx is vulnerable to OS command injection
75
High Risk
This Affects:
@dotenvx/dotenvxTL;DR
In src/lib/helpers/parse.js, after decrypt() runs, string values that still match the encrypted: ciphertext form were passed through the same evalKeyValue / eval path and the expand / resolveEscapeSequences path as normal secrets. A value can therefore embed shell command substitution (for example $(…) in the payload) that is executed while resolving the variable, even though the value is only intended to be opaque encrypted material. Before the change, the parser had no isEncrypted / encrypted: check before those steps. The update treats encrypted-prefixed values as non-evaluatable: it sets encryptedPrefixed from isEncrypted(this.parsed[key]) and skips both the eval and escape-expansion blocks when that flag is true, so encrypted: secrets are not expanded or run as shell commands.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@dotenvx/dotenvx is vulnerable to OS command injection in versions 1.24.0 - 1.61.5.
How to fix this
Upgrade the @dotenvx/dotenvx library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant