CVE-2025-64756

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
isaacsglob
10.2.0 ≤
𝑥
< 10.5.0
isaacsglob
11.0.0 ≤
𝑥
< 11.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-glob
bullseye
7.1.6+~7.1.3-1
fixed
bookworm
8.0.3+~cs8.4.15-1
fixed
trixie
8.1.0+~cs8.5.15-1
fixed
forky
10.3.6+~cs0.4.15-8
fixed
sid
10.3.6+~cs0.4.15-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-glob
questing
not-affected
plucky
not-affected
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f
https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2