CVE-2025-13437

Published: Nov 20, 2025

Modified: Nov 20, 2025

PUBLISHED

Description

When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.

Vendor	Product	Versions
Google	zx	affected `8.8.4`

Weaknesses (CWE)

CWE-706

References

https://github.com/google/zx/issues/1348

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-13437

Description

Affected Products

Weaknesses (CWE)

References