Full Report
PLUS: CISA issues drone warning; China-linked DNS-hijacking malware; Prison for BTC Samourai; And more Infosec In Brief Researchers have urged users of the glob file pattern matching library to update their installations, after discovery of a years-old remote code execution flaw in the tool's CLI.…
Analysis Summary
# Vulnerability: Arbitrary Command Execution in glob CLI via Malicious Filenames
## CVE Details
- CVE ID: CVE-2025-64756
- CVSS Score: 7.5 (High)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: `glob` file pattern matching library (specifically its Command Line Interface/CLI tool)
- Versions: v10.2.0 through v11.0.3 (inclusive)
- Configurations: Only vulnerable when the CLI is invoked with the `-c` or `--cmd` flag on POSIX systems, processing files from untrusted sources within CI/CD pipelines or build scripts.
## Vulnerability Description
The vulnerable `glob` CLI tool contains a command injection flaw in its `-c/--cmd` option. When this flag is used, matched filenames are passed to the underlying shell with `shell: true`. Shell metacharacters present within the names of files being matched can be exploited to inject and execute arbitrary operating system commands, leading to Remote Code Execution (RCE) with the privileges of the user or CI account running the command. The flaw exists because the implementation incorrectly assumed matched filenames were trustworthy data.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but researchers urged immediate updates due to the severity.
- Complexity: Likely Medium. Requires the attacker to control the file names being processed by a specific configuration of the `glob` CLI.
- Attack Vector: Network/Local (Depends on how untrusted files are introduced into a system that runs the CLI).
## Impact
- Confidentiality: Likely High (Arbitrary code execution allows reading sensitive data).
- Integrity: Likely High (Arbitrary code execution allows modification of data or system state).
- Availability: Likely High (Arbitrary code execution can lead to system disruption or denial of service).
## Remediation
### Patches
The vulnerability is fixed in the following versions:
- `glob` v10.5.0
- `glob` v11.1.0
- `glob` v12.0.0 (Implied fixed in newer versions)
Users should update to the latest patched version available (e.g., v11.1.0 or v12.0.0+).
### Workarounds
Users operating in vulnerable environments (POSIX systems invoking `glob -c` on untrusted inputs) who cannot immediately update should:
1. Avoid using the `-c` or `--cmd` flag in the `glob` CLI tool.
2. Ensure that any files being processed by the `glob` CLI tool (especially when using `-c`) originate only from trusted sources, validating file names rigorously.
## Detection
- Indicators of compromise (IOCs): Look for unexpected process execution originating from build/CI processes that utilize the `glob` CLI, specifically commands launched via shell metacharacters (`|`, `;`, `&`, `$()`, backticks) embedded in file paths being matched.
- Detection methods and tools: Integrate static analysis tools (SAST) into CI/CD pipelines to flag usage of commands that execute shell commands based on external input. Monitor system calls originating from build processes for suspicious command executions derived from file system operations.
## References
- Vendor Advisories: https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
- Research Blog: hxxps://aisle.com/blog/how-aisles-autonomous-analyzer-found-command-injection-in-globs-cli-10m-weekly-downloads/