CVE-2025-64756

Published Nov 17, 2025

Last updated 5 months ago

CVSS high 7.5
npm

Overview

Description
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Source
security-advisories@github.com
NVD status
Analyzed
Products
glob

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
5.9
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score
Not currently trending

  1. Another high severity zero-day vulnerability autonomously surfaced by @WeAreAisle: CVE-2025-64756 = command injection vulnerability in the core of the Node.js ecosystem, the glob utility https://t.co/iscpxZz0qQ

    @stanislavfort

    20 Nov 2025

    946 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. The NPM module `glob` (230M downloads per week) packages a command-line tool that includes a command injection flaw. This high-severity vulnerability (CVE-2025-64756 CVSSv3=7.5) allows malicious file names to serve as injection vectors for code exection.. Vulnerability affects

    @CheckmarxZero

    19 Nov 2025

    266 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Glob CLI CVE-2025-64756: Command Injection Risk A command injection flaw in Glob CLI lets attackers execute arbitrary code if user input is unsanitized. Patch asap. For more details, read ZeroPath's blog on this vuln. #AppSec #CyberSecurity https://t.co/WGNxW2HKYW

    @ZeroPathLabs

    17 Nov 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-64756 Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that … https://t.co/zTq5X8Edey

    @CVEnew

    17 Nov 2025

    216 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Aquasecurity Trivy Embedded Malicious Code VulnerabilityCVE-2026-33634
  2. The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.CVE-2026-27699
  3. set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.CVE-2026-26021
  4. Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.CVE-2026-24884
  5. n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.CVE-2026-1470

References

Sources include official advisories and independent security research.