[Snyk - High] glob@10.4.5 - Command Injection (Due 25 Dec 2025) #399
Description
glob@10.4.5
Command Injection
CWE-78 | CVSS 7.7 | CVE-2025-64756 | SNYK-JS-GLOB-14040952
Introduced through: glob@10.4.5
Fixed in: glob@10.5.0, @11.1.0
Detailed paths and remediation
-
Introduced through: fecfile-validate@0.0.1 › glob@10.4.5
Fix: Upgrade to glob@10.5.0
Security information
Factors contributing to the scoring:
- Snyk: CVSS v4.0 7.7 - High Severity | CVSS v3.1 7.5 - High Severity
- NVD: Not available. NVD has not yet published its analysis.
Overview
Affected versions of this package are vulnerable to Command Injection in the CLI, via the ~~c/~~-cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).
The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.
QA Notes
null
DEV Notes
null
Design
null
See full ticket and images here: FECFILE-2681
Pull Request: #404