CVE-2025-13437 is a vulnerability identified in Google zx version 8.8.4, a tool designed to simplify scripting with JavaScript and Node.js. The issue arises when the zx CLI is invoked with the --prefer-local=<path> option. This option causes zx to create a symbolic link named ./node_modules pointing to <path>/node_modules. Due to a logic error in the source code (specifically in src/cli.ts within the linkNodeModules and cleanup functions), the function responsible for cleanup returns the target path of the symlink rather than the symlink alias path itself. Consequently, the cleanup routine deletes the target directory (<path>/node_modules) instead of just removing the symlink. This results in the unintended deletion of an external node_modules directory outside the current working directory, potentially removing critical dependencies or shared modules. The vulnerability is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference), indicating a flaw in path resolution logic. Exploitation requires local access and user interaction (invoking zx with the specific option), but no elevated privileges or authentication are necessary. The impact primarily affects the integrity and availability of external dependencies, which can disrupt development workflows, continuous integration, and deployment pipelines. Although no known exploits are reported in the wild, the vulnerability poses a risk to environments where zx is used with the --prefer-local option pointing to important shared directories. The CVSS 4.0 vector score is 5.6 (medium severity), reflecting the local attack vector, low complexity, no privileges required, but user interaction needed and high impact on integrity and availability.

For European organizations, the vulnerability could lead to accidental or malicious deletion of critical node_modules directories outside the intended scope, causing disruption in software development and deployment processes. This can result in downtime for development teams, broken builds, and delays in production releases. Organizations relying on shared or centralized node_modules directories in monorepos or CI/CD environments are particularly at risk. The integrity of development environments is compromised, potentially leading to loss of dependencies and increased recovery time. Availability of development tools and pipelines may be affected, impacting productivity and operational continuity. While the vulnerability does not directly expose sensitive data or allow remote code execution, the disruption to development workflows can have downstream effects on business operations and security posture. European companies with large software engineering teams or those using Google zx in automated scripts should prioritize assessment and mitigation to avoid operational impact.

To mitigate CVE-2025-13437, organizations should avoid using the --prefer-local option with Google zx version 8.8.4 until a patched version is available. If usage is necessary, ensure that the <path> specified does not point to critical or shared node_modules directories outside isolated environments. Implement strict filesystem permissions and access controls to limit the ability of scripts to delete important directories. Use containerized or sandboxed environments for running zx scripts to contain potential damage. Monitor filesystem changes in development and CI/CD environments to detect unexpected deletions promptly. Regularly back up node_modules directories or use package-lock.json and package manifests to quickly restore dependencies. Stay updated with Google zx releases and apply patches once available. Additionally, conduct code reviews and static analysis on scripts invoking zx with --prefer-local to identify risky usage patterns. Educate developers about the risks of this option and enforce usage policies accordingly.