CVE-2025-64756

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-64756

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

G

lob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

References
Link Resource
https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f Patch
https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 Patch
https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
History

02 Dec 2025, 19:34

Type Values Removed Values Added
First Time Isaacs
Isaacs glob
References () https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f - () https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f - Patch
References () https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 - () https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 - Patch
References () https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 - () https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 - Exploit, Vendor Advisory
CPE cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*

19 Nov 2025, 03:16

Type Values Removed Values Added
Summary (en) Glob matches files using patterns the shell uses. Starting in version 10.3.7 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0. (en) Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

18 Nov 2025, 18:16

Type Values Removed Values Added
Summary (en) Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0. (en) Glob matches files using patterns the shell uses. Starting in version 10.3.7 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
References
  • () https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f -

17 Nov 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-11-17 18:15

Updated : 2025-12-02 19:34

NVD link : CVE-2025-64756

Mitre link : CVE-2025-64756

CVE.ORG link : CVE-2025-64756

JSON object : View

Products Affected

isaacs

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')