CVE-2025-64756 | THREATINT

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

PUBLISHED Reserved 2025-11-10 | Published 2025-11-17 | Updated 2025-11-19 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

>= 10.2.0, < 10.5.0

affected

>= 11.0.0, < 11.1.0

affected

References

github.com/...e-glob/security/advisories/GHSA-5j98-mcp5-4vw2

github.com/...ommit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f

github.com/...ommit/47473c046b91c67269df7a66eab782a6c2716146

cve.org (CVE-2025-64756)

nvd.nist.gov (CVE-2025-64756)

Download JSON