CVE-2025-64756 Overview
CVE-2025-64756 is a command injection vulnerability affecting the Glob Node.js package, a widely-used library for matching files using shell-style patterns. The vulnerability exists in the -c/--cmd option of the glob CLI, where matched filenames are passed to a shell with shell: true enabled. This allows attackers to craft malicious filenames containing shell metacharacters that trigger arbitrary command execution under the privileges of the user or CI account running the glob command.
Critical Impact
Attackers can achieve arbitrary code execution by creating files with specially crafted names containing shell metacharacters, potentially compromising development environments and CI/CD pipelines.
Affected Products
- isaacs glob versions 10.2.0 to 10.4.x (prior to 10.5.0)
- isaacs glob versions 11.0.x (prior to 11.1.0)
- Node.js applications using vulnerable glob CLI versions
Discovery Timeline
- 2025-11-17 - CVE CVE-2025-64756 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-64756
Vulnerability Analysis
This command injection vulnerability (CWE-78) arises from unsafe handling of user-controlled input when the glob CLI processes filenames. When a user executes the glob command with the -c or --cmd option followed by a command and file patterns, the library matches files according to the specified patterns and passes the matched filenames to a shell for command execution. The critical flaw is that this shell invocation uses the shell: true option, which enables interpretation of shell metacharacters within filenames.
The vulnerability requires an attacker to have the ability to create files with malicious names in a directory that will be processed by glob. While the attack complexity is elevated due to this prerequisite, the impact is severe as it can lead to complete compromise of the execution context, including theft of credentials, exfiltration of sensitive data, or establishing persistent access.
Root Cause
The root cause of CVE-2025-64756 is the use of shell: true when spawning child processes to execute commands on matched filenames. When filenames containing shell metacharacters (such as ;, |, $(), backticks, etc.) are passed unsanitized to a shell, those metacharacters are interpreted as shell commands rather than literal filename characters. This violates the principle of input validation and allows arbitrary command injection.
Attack Vector
The attack vector for this vulnerability is network-based, as malicious files could be introduced through various means including:
- Untrusted archive extraction (zip, tar) containing maliciously named files
- Git repositories with crafted filenames
- User-uploaded content in web applications
- Shared file systems or network storage
An attacker creates a file with a name like ; malicious-command ;.txt or uses command substitution syntax like $(whoami).txt. When glob processes this file with the -c option, the shell interprets the metacharacters and executes the embedded commands with the privileges of the running process.
The vulnerability is particularly dangerous in CI/CD environments where glob may process files from untrusted sources during build or deployment pipelines.
Detection Methods for CVE-2025-64756
Indicators of Compromise
- Unusual files created with names containing shell metacharacters such as ;, |, &, $(), or backticks
- Unexpected child processes spawned from Node.js or npm/npx processes
- Audit logs showing command execution patterns inconsistent with normal glob usage
- Network connections initiated from build or CI environments to unexpected destinations
Detection Strategies
- Monitor for the execution of glob CLI with -c or --cmd flags in production or CI environments
- Implement file integrity monitoring to detect creation of files with suspicious naming patterns
- Review npm audit reports and dependency vulnerability scanning for glob package versions
- Enable process execution logging to identify command injection attempts
Monitoring Recommendations
- Configure security monitoring tools to alert on shell metacharacters in filenames being processed
- Implement runtime application self-protection (RASP) to detect and block command injection attempts
- Review CI/CD pipeline logs for anomalous command execution patterns
- Enable audit logging for all file operations in sensitive directories
How to Mitigate CVE-2025-64756
Immediate Actions Required
- Upgrade glob to version 10.5.0 or 11.1.0 or later immediately
- Audit applications and scripts that use glob CLI with the -c/--cmd option
- Review recent file system activity for potentially malicious filenames
- Consider temporarily disabling glob CLI usage with command execution until patching is complete
Patch Information
The vulnerability has been patched in glob versions 10.5.0 and 11.1.0. The security patches are available through the following commits:
For complete details, see the GitHub Security Advisory GHSA-5j98-mcp5-4vw2.
Workarounds
- Avoid using the -c/--cmd option with glob when processing files from untrusted sources
- Implement filename validation to reject files containing shell metacharacters before processing
- Use glob programmatically without shell execution, handling matched files through safe Node.js APIs
- Run glob processes in sandboxed environments with minimal privileges
# Update glob to patched version
npm update glob@^10.5.0
# Or for version 11
npm update glob@^11.1.0
# Verify installed version
npm list glob
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
