## Node.js Glob CLI Vulnerability (CVE-2025-64756): Command Injection via Malicious Filenames A critical command injection vulnerability has been disclosed in the widely-used Node.js `glob` package, a core utility for file pattern matching. Tracked as CVE-2025-64756 (GHSA-5j98-mcp5-4vw2), the flaw resides in the package's command-line interface (CLI). The security weakness is triggered when the `-c` or `--cmd` option is used. This option, designed to execute a command for each matched file, passes arguments to a shell with `shell:true`. The vulnerability allows an attacker to craft malicious filenames that, when processed by the CLI tool, can lead to arbitrary command execution on the host system. The vulnerability specifically affects the `glob` CLI tool. The issue stems from the unsafe handling of user-controlled input—filenames—within a shell execution context. When a user runs a command like `glob -c 'echo' 'pattern'`, the tool spawns a shell to run the specified command for each matching file. A malicious filename containing shell metacharacters (e.g., `; rm -rf /`) could break out of the intended command and execute arbitrary code. This poses a significant risk in automated scripts, CI/CD pipelines, or any environment where `glob` CLI processes untrusted file systems or user-uploaded content. This security update, moving from version 11.0.0 to 11.1.0, patches the vulnerability. The fix likely involves sanitizing input or altering the execution method to prevent command injection. Developers and system administrators relying on the `glob` CLI must prioritize this update, especially in scenarios involving external or unvalidated file inputs. The presence of this CVE triggers automated dependency management tools like RenovateBot, highlighting the urgency for remediation across the Node.js ecosystem to prevent potential system compromise. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, nodejs, vulnerability, command-injection, npm - **Credibility**: unverified - **Published**: 2026-03-28 14:27:00 - **ID**: 39102 - **URL**: https://whisperx.ai/en/intel/39102