Wiz
Vulnerability DatabaseCVE-2025-64756

CVE-2025-64756
JavaScript vulnerability analysis and mitigation

Overview

CVE-2025-64756 affects the glob CLI tool versions 10.3.7 through 11.0.3, containing a command injection vulnerability in its -c/--cmd option. The vulnerability was discovered and disclosed on November 17, 2025, affecting the command-line interface component of the node-glob package. When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges (GitHub Advisory).

Technical details

The vulnerability exists in src/bin.mts where the CLI collects glob matches and executes the supplied command using foregroundChild() with shell: true. The core glob library API (glob(), globSync(), streams/iterators) is not affected. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (GitHub Advisory).

Impact

The vulnerability allows arbitrary command execution with full privileges of the user running the glob CLI, with no privilege escalation required. Attackers can potentially access environment variables, file system, and network. This poses significant risks in CI/CD pipelines, developer workstations, automated processing systems, and could enable supply chain poisoning. The impact is particularly severe on POSIX/Linux/macOS systems due to flexible filename characters and shell parsing (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 10.5.0, 11.1.0, and 12.0.0. Users should upgrade to glob@11.1.0 or higher immediately. For cases where glob CLI actions fail, commands containing positional arguments should be converted to use the --cmd-arg/-g option instead. As a last resort, --shell can be used to maintain shell:true behavior until glob v12, but only in environments where no untrusted contents can be encountered in the file path results (GitHub Advisory, GitHub Commit).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-fjh6-8679-9pchHIGH8.3
  • JavaScriptJavaScript
  • flowise-ui
NoYesNov 14, 2025
GHSA-x39m-3393-3qp4HIGH8.3
  • JavaScriptJavaScript
  • flowise-ui
NoYesNov 14, 2025
CVE-2025-64756HIGH7.5
  • JavaScriptJavaScript
  • argo-workflows-fips-3.6
NoYesNov 17, 2025
GHSA-m8jr-fxqx-8xx6HIGH7.5
  • JavaScriptJavaScript
  • @apollo/composition
NoYesNov 14, 2025
CVE-2025-64758MEDIUM4.8
  • JavaScriptJavaScript
  • @dependencytrack/frontend
NoYesNov 17, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo