Introduction
A single malicious filename can compromise an entire CI pipeline or developer workstation if processed with the wrong tool. The glob npm package, a backbone utility for file pattern matching in Node.js, was found to contain a command injection vulnerability in its CLI affecting versions 10.3.7 through 11.0.3. This issue, tracked as CVE-2025-64756, allows arbitrary command execution when the CLI's -c or --cmd option is used and filenames contain shell metacharacters. Given glob's ubiquity—over 79 million weekly downloads and integration in countless build tools—this vulnerability has significant implications for the JavaScript ecosystem and any workflow that automates file handling with glob's CLI.
Technical Information
CVE-2025-64756 is a command injection vulnerability in the glob CLI. The affected functionality is the -c or --cmd option, which lets users run a shell command for each file matched by a glob pattern. In vulnerable versions (10.3.7 through 11.0.3), the CLI implementation passes matched filenames directly to a shell with shell: true enabled. If a filename contains shell metacharacters such as ;, |, or $(), these are interpreted by the shell, not treated as literal filename characters. This means a file named foo.txt; id would cause the shell to execute both the intended command and the injected id command.
The root cause is the lack of escaping or sanitization for filenames before they are interpolated into the shell command string. This is a classic instance of CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerable code path is only present in CLI usage of glob, not in the core JavaScript API. The risk is highest in environments where filenames can be influenced by untrusted users or external sources, such as CI/CD pipelines processing user uploads or repositories.
Affected Systems and Versions
- Product: glob npm package
- Affected versions: 10.3.7 through 11.0.3
- Vulnerable configuration: Any use of the CLI with the -c or --cmd option that processes filenames which could contain shell metacharacters
- Not affected: glob versions 11.1.0 and later
Vendor Security History
Glob is maintained by Isaac Z. Schlueter and is a foundational dependency in the Node.js ecosystem. The project has a generally strong security record, with few prior critical vulnerabilities. The vendor responded to this issue with a patch in version 11.1.0 and maintains a public advisory process on GitHub.
