CVE-2025-13437

CVSS v4.0

5.6

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions zx (affected versions not specified)

Description A flaw exists in zx where, when invoked with the --prefer-local option pointing to a specific path, the command-line interface creates a symbolic link named ./node modules to the specified path’s node modules directory. A logic error within the src/cli.ts file, specifically in the linkNodeModules and cleanup functions, causes the function to return the target path instead of the symlink path. Subsequently, the cleanup routine inadvertently deletes the target directory outside of the current working directory. This can lead to the deletion of external node modules directories. The vulnerable functions are linkNodeModules() and cleanup(). The vulnerable parameter is <path>.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-706

Related Identifiers

CVE-2025-13437

GHSA-W87R-VG9Q-CRQM

CVE-2025-13437

Weakness Enumeration

Related Identifiers

Affected Products

References · 6