*Published: 2024-06-17 | Exploitation Level: Easy | Affected Versions: glob 10.2. up to (not including) 10.5. and 11.1.*
Introduction
The glob package is one of the most widely used tools for file pattern matching in Node.js projects, scripts, and continuous integration (CI) environments. It mimics the shell’s pattern expansion (globbing) to match files and folders based on flexible wildcards.
A critical security vulnerability has been discovered and assigned CVE-2025-64756. This flaw allows an attacker to achieve arbitrary command execution simply by using filenames crafted with special characters. The vulnerability affects glob CLI commands that utilize the -c or --cmd options for passing matched filenames to a shell command.
What Is Vulnerable?
Affected versions:
Vulnerability Details
When you use glob with the -c or --cmd option, each file match is substituted into your custom command, which then runs in a shell (i.e., shell: true in Node.js). Here’s the problem: special characters in filenames can break out of the intended command and run arbitrary code.
Example Command
glob -c "echo matched:" "*.txt"
Suppose a file named
normal_file.txt
gets processed, the shell sees
echo matched: normal_file.txt
No problem.
But what if you have a file with a malicious name, such as
innocent.txt; touch pwned.txt; #
The shell command becomes
echo matched: innocent.txt; touch pwned.txt; #.txt
This actually creates a new file "pwned.txt"—demonstrating how an attacker can inject arbitrary commands.
Proof of Concept (PoC)
To see the vulnerability in action, follow these steps on a vulnerable system using glob CLI v10.2. - v10.4.x:
Step 1: Create a malicious file
touch 'exploit.txt; echo HACKED > hacked.txt; #'
Step 2: Run glob with -c
glob -c 'cat {}' '*.txt*'
Step 3: Observe the result
A new file hacked.txt will appear in your directory, filled with HACKED, even though your intention was just to cat files.
Exploit Scenario
- Local attacks: If an attacker can create files or folders (e.g., through a web upload, in CI workspace, or shared storage), they can inject shell commands.
- CI/CD pipelines: Many build and test scripts use glob to process files created during builds or tests. A malicious artifact filename could run attacker’s code under CI service accounts, often with broad permissions.
- Shared environments: Any user with write privileges could create such a filename to upend scripts run by privileged users.
Why Does This Happen?
The flaw comes from using shell: true in child process execution without properly escaping filenames, passing them directly to the shell.
Relevant code snippet (simplified)
const { exec } = require('child_process');
exec(your-cmd ${filename}, { shell: true }); // filename is attacker-controlled
Using shell metacharacters (;, &, |, backticks, etc.) in filenames means the shell will interpret them—leading to command injection.
Remediation
Immediate action:
Upgrade glob to at least v10.5. or v11.1..
Change your scripts:
- Avoid passing user-controlled or external filenames directly into -c/--cmd arguments.
Where possible, pass arguments without shell invocation, or safely escape filenames.
Example (after the fix):
From v10.5. upwards, filenames are sanitized or passed in a way that disables dangerous shell interpretation.
References
- NPM Security Advisory: glob Command Injection
- CVE-2025-64756 at NVD
- glob NPM package
- Original fix commit _(replace with actual commit URL when available)_
Conclusion
This issue shows how even trusted utilities like glob can become dangerous in automation and CI/CD environments if they call out to the shell using unsanitized inputs. If you use glob CLI or similar tools, check your dependencies, update immediately, and develop a habit of safe command handling—never trust filenames!
Have you secured your CI yet?
*Share this alert with your devops and security teams—prevention is a patch away.*
Timeline
Published on: 11/17/2025 18:15:58 UTC
Last modified on: 12/02/2025 19:34:43 UTC