Homepage

glob@10.3.15 vulnerabilities

the most correct and second fastest glob implementation in JavaScript

  • latest version

    13.0.0

  • latest non vulnerable version

    13.0.0

  • first published

    14 years ago

  • latest version published

    28 days ago

  • licenses detected

    • ISC
      >=4.0.5 <11.1.0
  • View glob package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the glob package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).

    The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.

    How to fix Command Injection?

    Upgrade glob to version 10.5.0, 11.1.0 or higher.

    >=10.3.7 <10.5.0>=11.0.0 <11.1.0
    Go back to all versions of this package