CVE-2025-64756 is an OS command injection vulnerability identified in the node-glob package, specifically in its CLI tool's -c/--cmd option. Node-glob is widely used in JavaScript and Node.js environments to match files using shell-like glob patterns. Starting from version 10.2.0 up to but not including 10.5.0, and from 11.0.0 up to but not including 11.1.0, the CLI passes matched filenames directly to a shell with the shell option set to true. This behavior allows shell metacharacters embedded in malicious filenames to be interpreted by the shell, leading to arbitrary command execution. The vulnerability stems from CWE-78, improper neutralization of special elements used in OS commands, which is a classic injection flaw. Exploitation requires the attacker to control or influence filenames matched by the glob patterns used with the -c option, which is common in CI/CD pipelines or automated scripts processing files. The attacker can execute arbitrary commands with the privileges of the user or CI account running the node-glob CLI. The vulnerability does not require user interaction but does require some level of privilege (low) to execute the vulnerable command. The CVSS v3.1 base score is 7.5, reflecting high severity due to the potential for full confidentiality, integrity, and availability compromise. The issue has been fixed in versions 10.5.0 and 11.1.0 by sanitizing or avoiding unsafe shell invocation. No known exploits have been reported in the wild as of the publication date, but the risk remains significant given the widespread use of node-glob in development environments.

For European organizations, the impact of CVE-2025-64756 can be substantial, particularly for those heavily reliant on Node.js-based development and CI/CD pipelines that utilize node-glob. Successful exploitation allows attackers to execute arbitrary commands under the privileges of the user or CI system, potentially leading to unauthorized access, data exfiltration, disruption of build or deployment processes, and lateral movement within networks. This could compromise intellectual property, sensitive customer data, and operational continuity. The vulnerability is especially critical in automated environments where malicious filenames might be introduced via compromised dependencies, third-party code, or supply chain attacks. Given the high adoption of JavaScript and Node.js in European tech sectors, including financial services, manufacturing, and government digital services, the threat could affect a broad range of organizations. Additionally, the lack of required user interaction and the ability to execute commands remotely via crafted filenames increase the attack surface. The vulnerability could also be leveraged to implant persistent backdoors or disrupt critical infrastructure software builds, impacting availability and trust in software supply chains.

European organizations should immediately upgrade node-glob to versions 10.5.0 or 11.1.0 or later to ensure the vulnerability is patched. In addition, organizations should audit their CI/CD pipelines and development environments to identify any usage of the vulnerable node-glob versions, especially where the -c/--cmd option is used. Implement strict input validation and sanitization for filenames and any external inputs that influence glob patterns. Avoid passing untrusted filenames directly to shell commands or using shell: true in child process invocations. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to monitor for unusual command execution patterns. Incorporate security scanning tools in the software supply chain to detect vulnerable dependencies automatically. For critical environments, consider isolating build and deployment systems with strict access controls and network segmentation to limit potential damage from exploitation. Finally, educate developers and DevOps teams about secure usage patterns of node-glob and the risks of shell command injection.