Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-64756
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-17 Nov, 2025 | 18:15
Updated At-02 Dec, 2025 | 19:34

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
isaacs
isaacs
>>glob>>Versions from 10.2.0(inclusive) to 10.5.0(exclusive)
cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
isaacs
isaacs
>>glob>>Versions from 11.0.0(inclusive) to 11.1.0(exclusive)
cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-78Secondarysecurity-advisories@github.com
CWE ID: CWE-78
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75fsecurity-advisories@github.com
Patch
https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146security-advisories@github.com
Patch
https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Change History
0Changes found
Details not found