CVE-2025-64756 — HIGH (7.5)

Q: How severe is CVE-2025-64756?

CVE-2025-64756 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-64756?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Glob.

Vulnerability Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isaacs	Glob	>= 10.2.0, < 10.5.0

Related Weaknesses (CWE)

CWE-78

References

FAQ

What is CVE-2025-64756?

CVE-2025-64756 is a vulnerability with a CVSS score of 7.5 (HIGH). Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option tha...

How severe is CVE-2025-64756?

CVE-2025-64756 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64756?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Glob.