"It's there that the problem starts: Glob is programmed with shell: true enabled by default, meaning that whenever a file is found using glob's CLI tool with a -c flag it passes the file to a shell for execution. On POSIX systems, specifically (e.g., Linux, macOS, BSD, etc.), shell metacharacters included in a file name are executed as if they're code, meaning a file touched by glob -c with a maliciously coded name will do whatever an attacker wants it to."
""The implementation assumed filenames were trustworthy data, but this assumption was wrong," AISLE researchers noted. The researchers suspect the flaw went unnoticed for so long because, despite glob being downloaded more than ten million times a week on average, the CLI tool is rarely used, "and even fewer know that -c executes through a shell.""
"Glob versions v10.2.0 through v11.0.3 are vulnerable, and even then only in specific environments that process files from untrusted sources on POSIX systems with CI/CD pipes or build scripts that invoke glob -c or glob -cmd. Glob v10.5.0, v11.1.0, and v12.0.0 fix the issue; glob users who can check off all the vulnerability criteria are advised to update as soon as possible."
Glob is a widely used JavaScript wildcard file-matching library whose CLI option -c executes commands on matching files. A 7.5-rated remote code execution vulnerability (CVE-2025-64756) exists because the CLI runs with shell: true by default and passes filenames to a shell. On POSIX systems, filenames containing shell metacharacters can be interpreted as commands, allowing arbitrary code execution when build scripts or CI/CD pipelines invoke glob -c on untrusted files. Affected versions include v10.2.0 through v11.0.3. Fixes are available in v10.5.0, v11.1.0, and v12.0.0; vulnerable environments should update promptly.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]