CVE-2025-64756: glob CLI: Command injection via -c/--cmd executes matches with shell:true
(updated )
The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.
References
- github.com/advisories/GHSA-5j98-mcp5-4vw2
- github.com/isaacs/node-glob
- github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f
- github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
- github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
- nvd.nist.gov/vuln/detail/CVE-2025-64756
Code Behaviors & Features
Detect and mitigate CVE-2025-64756 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →