CVE-2025-64756

High CVSS: 7.5

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Vendor

Isaacs

Product

Glob

CWE

CWE-78

Yayın Tarihi

2025-11-17 18:15:58

Güncelleme

2025-12-02 19:34:43

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Glob HIGH Isaacs 2025

Referanslar

https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2

Benzer Kayıtlar

High

CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink t…

High

CVE-2026-29786

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that p…

High

CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-control…

High

CVE-2026-24842

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink en…

High

CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an…

High

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library (