Detections
Analytics

CVE-2025-64756

high

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

References

https://www.theregister.com/2025/11/23/infosec_news_in_brief/

https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2

https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146

https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f

Details

Source: Mitre, NVD

Published: 2025-11-17

Updated: 2025-12-02

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.0013