Bug 2415451 (CVE-2025-64756) - CVE-2025-64756 glob: glob: Command Injection Vulnerability via Malicious Filenames
Summary: CVE-2025-64756 glob: glob: Command Injection Vulnerability via Malicious File...
Keywords:
Status: NEW
Alias: CVE-2025-64756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2418530 2418531 2418533 2418534 2418535 2418536 2418537 2418539 2418540 2418546 2419960 2419961 2418529 2418532 2418538
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-17 18:01 UTC by OSIDB Bzimport
Modified: 2026-01-07 18:35 UTC (History)
185 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-17 18:01:51 UTC 
Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Note You need to log in before you can comment on or make changes to this bug.