Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

INFO

Published Date :

2025-11-17T17:29:08.029Z

Last Modified :

2025-11-19T02:30:44.520Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64756 vulnerability.

Vendors Products
Isaacs
  • Glob
  • Node-glob
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64756.

URL Resource
https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f cve-icon cve-icon
https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 cve-icon cve-icon cve-icon
https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64756 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64756 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact