Command Injection Affecting glob package, versions >=10.3.7 <10.5.0>=11.0.0 <11.1.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-GLOB-14040952
- published18 Nov 2025
- disclosed17 Nov 2025
- creditBabajide Emmanuel Fakile
Introduced: 17 Nov 2025
NewCVE-2025-64756 (opens in a new tab)How to fix?
Upgrade glob to version 10.5.0, 11.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).
The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.