CVE-2025-64756
📋 TL;DR
CVE-2025-64756 is a command injection vulnerability in the glob CLI tool that allows arbitrary command execution when processing files with malicious names. Attackers can achieve remote code execution under the privileges of the user or CI account running glob. This affects users of glob versions 10.2.0 through 10.4.x and 11.0.x who use the -c/--cmd option.
💻 Affected Systems
- node-glob
📦 What is this software?
Glob by Isaacs
Glob by Isaacs
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running glob, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Arbitrary command execution in CI/CD pipelines or automated scripts, leading to credential theft, data exfiltration, or deployment of malicious code.
If Mitigated
Limited impact if proper input validation and least privilege principles are followed, though command injection could still occur.
🎯 Exploit Status
Exploitation requires the attacker to control or influence filenames that glob processes with the -c option. The vulnerability is straightforward to exploit once this condition is met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.5.0 or 11.1.0
Vendor Advisory: https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
Restart Required: No
Instructions:
1. Update glob to version 10.5.0 or 11.1.0 using npm: npm update glob. 2. Verify the update with: npm list glob. 3. Test that glob functionality works correctly in your environment.
🔧 Temporary Workarounds
Avoid using -c/--cmd option
allDo not use the vulnerable -c or --cmd option with glob. Use alternative methods to process matched files.
Input validation for filenames
allValidate and sanitize filenames before passing them to glob, especially when using the -c option.
🧯 If You Can't Patch
- Remove or restrict write access to directories where malicious filenames could be created
- Run glob with minimal privileges using non-administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check if glob is installed and its version: npm list glob | grep glob. If version is between 10.2.0-10.4.x or 11.0.x, you are vulnerable when using -c option.Check Version:
npm list glob | grep globVerify Fix Applied:
After updating, verify version is 10.5.0 or higher, or 11.1.0 or higher: npm list glob | grep glob.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns from glob processes
- Suspicious shell commands containing metacharacters in glob logs
Network Indicators:
- Unexpected outbound connections from systems running glob with -c option
SIEM Query:
process.name:"node" AND process.args:"glob" AND process.args:"-c" AND (process.args:*[;|&`$]* OR process.args:*$( )*)