CVE-2025-13437 – This vulnerability in the zx CLI tool allows ar... (How to Fix)

📋 TL;DR

This vulnerability in the zx CLI tool allows arbitrary directory deletion when using the --prefer-local flag. Attackers can delete external node_modules directories outside the current working directory. All users of zx who use the --prefer-local option are affected.

💻 Affected Systems

Products:

google/zx

Versions: All versions prior to fix

Operating Systems: All platforms where zx runs

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the --prefer-local flag with a path argument.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of critical system directories leading to service disruption, data loss, or system instability if node_modules directories contain important files.

🟠

Likely Case

Accidental deletion of development dependencies causing build failures and project disruption during normal usage.

🟢

If Mitigated

Limited to development environments with proper access controls, causing only local project disruption.

🌐 Internet-Facing: LOW - zx is primarily a development tool not typically exposed to external networks.

🏢 Internal Only: MEDIUM - Development environments could be disrupted, but impact is limited to directory deletion rather than code execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to run zx with the vulnerable flag. The GitHub issue demonstrates the exact command.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version after fix (check GitHub for specific version)

Vendor Advisory: https://github.com/google/zx/issues/1348

Restart Required: No

Instructions:

1. Update zx to latest version: npm update -g zx
2. Verify installation: zx --version
3. Test with --prefer-local flag to confirm fix

🔧 Temporary Workarounds

Avoid --prefer-local flag

all

Do not use the --prefer-local flag with path arguments until patched

🧯 If You Can't Patch

Restrict zx usage to trusted users only
Implement file system monitoring for unexpected node_modules deletions

🔍 How to Verify

Check if Vulnerable:

Test with: zx --prefer-local=/some/path and check if external node_modules gets deleted

Check Version:

zx --version

Verify Fix Applied:

After update, test the same command and verify no deletion occurs

📡 Detection & Monitoring

Log Indicators:

Unexpected deletion of node_modules directories
zx process execution with --prefer-local flag

SIEM Query:

Process execution where command_line contains 'zx' and '--prefer-local'

📊 Metadata

CVE ID: CVE-2025-13437

CVSS v3 Score: N/A (Unknown)

CWE: CWE-706

EPSS Score: 0.01% exploit probability (0.6th percentile)

Published: November 20, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/google/zx/issues/1348

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13437, you might also want to check these: