glob CLI: Command injection via -c/–cmd executes matches with shell:true

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.

Basic Information

ID CVE-2025-64756

Source GitHub_M

Published Nov 17, 2025 at 17:29

Affected Product

Vendor isaacs

Product node-glob

Version >= 10.3.7, < 11.1.0

Affected Versions isaacs node-glob >= 10.3.7, < 11.1.0

CWE Classification

CWE-78

References

{
    "lastseen": "",
    "description": "Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.",
    "published": "2025-11-17T17:29:08.029Z",
    "modified": "2025-11-17T17:29:08.029Z",
    "type": "cve",
    "title": "glob CLI: Command injection via -c/--cmd executes matches with shell:true",
    "source": "GitHub_M",
    "references": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2\nhttps://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146",
    "id": "CVE-2025-64756",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "isaacs node-glob >= 10.3.7, < 11.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "node-glob",
    "version": ">= 10.3.7, < 11.1.0",
    "vendor": "isaacs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

glob CLI: Command injection via -c/–cmd executes matches with shell:true_CVE-2025-64756