CVE-2025-64756 HIGH

CVE-2025-64756: glob CLI: Command injection via -c/--cmd executes matches with shell:true

Vendor Isaacs
Product node-glob
Weakness CWE-78
Published November 17, 2025
Last update November 19, 2025
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Key dates

02Disclosure timeline

November 17, 2025 CVE published
November 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-4558 Linksys MR9600 SmartConnect.lua smartConnectConfigure os command injection CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection CVE-2026-7593 Sunwood-ai-labs command-executor-mcp-server MCP index.ts execute_command os command injection CVE-2026-26046 Moodle: moodle: improper input sanitization in tex filter administration setting CVE-2021-31838 Command injection through environment variable in MVISION EDR