Overview
CVE-2025-13437 describes a critical vulnerability in the zx CLI tool that allows for arbitrary directory deletion. This vulnerability arises when the --prefer-local=<path> flag is used. A logic error in the cleanup routine can lead to the deletion of an external <path>/node_modules directory, even if it is located outside the current working directory.
Technical Details
The vulnerability resides in the src/cli.ts file of the zx project. Specifically, the issue lies within the linkNodeModules and cleanup functions. When zx is invoked with --prefer-local=<path>, the CLI attempts to create a symbolic link named ./node_modules pointing to <path>/node_modules.
Due to the bug, the linkNodeModules function incorrectly returns the target path (<path>/node_modules) instead of the alias (./node_modules). The subsequent cleanup routine receives this incorrect path and attempts to remove it. This results in the unintended deletion of the target directory <path>/node_modules.
Here’s a simplified illustration of the vulnerable code flow:
function linkNodeModules(targetPath: string): string {
// ...symlink creation logic...
// Vulnerable line: Should return symlink path, but returns target path
return targetPath;
}
function cleanup(pathToRemove: string): void {
// ...remove directory logic...
fs.rmdirSync(pathToRemove, { recursive: true });
}
// ...main execution...
const target = linkNodeModules(providedPath);
cleanup(target); // Incorrect path leads to deletion of providedPath/node_modules
CVSS Analysis
Currently, there is no CVSS score assigned to CVE-2025-13437. This is likely because the vulnerability requires user interaction (using the --prefer-local flag) and the exact impact can vary depending on the affected directory. However, the potential for arbitrary directory deletion makes this a serious issue.
Possible Impact
The impact of this vulnerability is significant. An attacker, or even a user unintentionally using the --prefer-local flag with a carefully crafted path, could cause:
- Data Loss: Deletion of critical
node_modulesdirectories or even other important directories if a carefully crafted path is provided. - System Instability: If the deleted directory contains essential system files or application dependencies, it could lead to system instability or application failures.
- Supply Chain Risks: If the deleted directory is part of a development or build process, it could compromise the integrity of the software supply chain.
Mitigation or Patch Steps
The primary mitigation step is to upgrade to a patched version of zx that addresses the vulnerability. Check the official zx repository and release notes for the latest version. The fix should involve correcting the return value of the linkNodeModules function in src/cli.ts to return the symlink path instead of the target path.
As a temporary workaround, exercise extreme caution when using the --prefer-local flag and thoroughly verify the target path before executing the command. Avoid using untrusted or potentially malicious paths with this flag.
