The vulnerability identified as CVE-2025-64756 affects the node-glob package, a widely used JavaScript library for matching file paths using glob patterns. Specifically, versions from 10.3.7 up to but not including 11.1.0 contain a command injection flaw in the CLI tool's -c/--cmd option. When this option is used, glob executes the specified command on each matched filename by invoking a shell with shell: true. However, the implementation fails to properly neutralize special shell metacharacters embedded in filenames. An attacker who can control or influence filenames matched by glob can craft names containing shell commands or operators, which the shell will interpret and execute. This leads to arbitrary code execution with the privileges of the user or continuous integration (CI) account running the command. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based (AV:N) but requires high attack complexity (AC:H) and low privileges (PR:L), with no user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploits have been reported yet, but the risk is significant due to the widespread use of node-glob in development environments and CI/CD pipelines. The issue was addressed in version 11.1.0 by sanitizing or avoiding shell execution of untrusted filenames. Organizations using affected versions should upgrade promptly and review their use of the -c option to mitigate risk.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on node-glob in development, build, or CI/CD environments. Successful exploitation could allow attackers to execute arbitrary commands on build servers or developer machines, potentially leading to source code theft, insertion of malicious code, disruption of build processes, or lateral movement within internal networks. The compromise of CI accounts or build infrastructure could undermine software supply chain integrity, a critical concern for European industries with stringent regulatory and compliance requirements such as finance, healthcare, and critical infrastructure. The high impact on confidentiality, integrity, and availability means that sensitive data and operational continuity could be at risk. Additionally, the vulnerability could be leveraged to implant persistent backdoors or disrupt automated deployment pipelines, causing significant operational and reputational damage.

European organizations should take the following specific actions: 1) Immediately upgrade node-glob to version 11.1.0 or later in all environments, including development, testing, and CI/CD pipelines. 2) Audit all usage of the glob CLI, particularly the -c/--cmd option, and eliminate or restrict its use where possible. 3) Implement strict input validation and sanitization for any filenames or patterns processed by glob to prevent injection of shell metacharacters. 4) Run build and CI processes with the least privilege necessary to limit the impact of potential exploitation. 5) Monitor build logs and system activity for unusual command executions or anomalies that could indicate exploitation attempts. 6) Employ containerization or sandboxing for build environments to isolate potential compromises. 7) Educate developers and DevOps teams about the risks of command injection vulnerabilities in build tools and enforce secure coding and operational practices. 8) Review and update security policies to include dependency management and timely patching of open-source components.