CVE-2025-13437: zx Uses Incorrectly-Resolved Name or Reference
(updated )
When zx is invoked with –prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
References
- github.com/advisories/GHSA-w87r-vg9q-crqm
- github.com/google/zx
- github.com/google/zx/commit/9ef6d3c9962c4ba01e3fb8075855570c192b4681
- github.com/google/zx/commit/a4d1bc2467f305f1c91d62506e215f307dc1fbeb
- github.com/google/zx/issues/1348
- github.com/google/zx/pull/1349
- github.com/google/zx/pull/1355
- nvd.nist.gov/vuln/detail/CVE-2025-13437
Code Behaviors & Features
Detect and mitigate CVE-2025-13437 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →