CVE-2025-64756

Name of the Vulnerable Software and Affected Versions Glob versions 10.3.7 through 11.0.3

Description The glob command-line interface contains a command injection issue in its -c/--cmd option. This allows arbitrary command execution when processing files with maliciously crafted names. When using

glob -c <command> <patterns>

, matched filenames are passed to a shell, and shell metacharacters within filenames can trigger command injection, leading to arbitrary code execution with the privileges of the user or CI account. The

cmd

option is vulnerable.

Recommendations Update to version 11.1.0 or later.