Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Isaacs
  • Glob
  • Node-glob

Configuration 1 [-]

OR cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*

No data.

References
Link Providers
https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f cve-icon cve-icon
https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146 cve-icon cve-icon cve-icon
https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64756 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64756 cve-icon
History

Thu, 04 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 02 Dec 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs glob
CPEs cpe:2.3:a:isaacs:glob:*:*:*:*:*:node.js:*:*
Vendors & Products Isaacs glob

Wed, 19 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description Glob matches files using patterns the shell uses. Starting in version 10.3.7 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0. Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Tue, 18 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Description Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0. Glob matches files using patterns the shell uses. Starting in version 10.3.7 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
References

Tue, 18 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs node-glob
Vendors & Products Isaacs
Isaacs node-glob

Mon, 17 Nov 2025 17:45:00 +0000

Type Values Removed Values Added
Description Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Title glob CLI: Command injection via -c/--cmd executes matches with shell:true
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-11-17T17:29:08.029Z

Updated: 2025-11-19T02:30:44.520Z

Reserved: 2025-11-10T22:29:34.874Z

Link: CVE-2025-64756

cve-icon Vulnrichment

Updated: 2025-11-18T16:37:07.785Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-17T18:15:58.270

Modified: 2025-12-02T19:34:43.270

Link: CVE-2025-64756

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-17T17:29:08Z

Links: CVE-2025-64756 - Bugzilla