CVE-2025-64756

Published: Nov 17, 2025

Modified: Nov 19, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Vendor	Product	Versions
isaacs	node-glob	affected `>= 10.2.0, < 10.5.0` affected `>= 11.0.0, < 11.1.0`

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2

x_refsource_CONFIRM

https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f

x_refsource_MISC

https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-64756

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References