Critical Command Injection Vulnerability Found in Glob CLI (CVE-2025-64756)

Overview

A high-severity command injection vulnerability, identified as CVE-2025-64756, has been discovered in the glob CLI tool. This vulnerability affects versions 10.3.7 through 11.0.3. Specifically, the vulnerability resides within the -c or --cmd option, allowing for arbitrary command execution when processing files with maliciously crafted names. This could lead to significant security risks, including complete system compromise.

Technical Details

The glob CLI tool is used for matching files based on shell-like patterns. When the -c or --cmd option is used in conjunction with these patterns (e.g., glob -c <command> <patterns>), the matched filenames are passed to a shell for execution. The critical flaw lies in the fact that the shell executes these commands with shell: true enabled. This allows attackers to inject shell metacharacters within the filenames, enabling them to execute arbitrary commands on the system. For example, a filename like ; rm -rf / could be used to trigger a destructive command.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 7.5, indicating a high severity. The CVSS vector considers factors such as the ease of exploitation, the potential impact on confidentiality, integrity, and availability, and the required privileges to exploit the vulnerability.

Possible Impact

The exploitation of this vulnerability can lead to severe consequences, including:

• Arbitrary Code Execution: Attackers can execute any command on the system with the privileges of the user or CI account running the glob command.
• Data Breach: Sensitive data stored on the system could be accessed and exfiltrated.
• System Compromise: An attacker could gain complete control of the affected system, potentially leading to further attacks on the network.
• Denial of Service: Malicious commands could disrupt the normal operation of the system, leading to a denial-of-service condition.

Mitigation or Patch Steps

To mitigate the risk associated with CVE-2025-64756, it is crucial to upgrade to glob version 11.1.0 or later. This version contains a patch that addresses the command injection vulnerability. Specifically:

• Upgrade glob: Use your package manager (e.g., npm, yarn) to update to the latest version: npm install glob@latest or yarn upgrade glob.
• Verify Version: After upgrading, verify that you are running version 11.1.0 or later by running glob --version.
• Review Usage: Examine your scripts and applications that use the glob CLI tool and ensure that you are not processing filenames from untrusted sources without proper sanitization, even after upgrading.

References

• CVE ID: CVE-2025-64756
• Commit Patch: https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
• GitHub Security Advisory: https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2