CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2025-64756 |
HIGH |
glob |
10.4.5 |
11.1.0 |
2025-11-17T18:15:58.27Z |
2025-11-18T10:18:18.698729407Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:04b50ef91137a051b4a33b5e4ad1f0661edb09327016af10394dc995bbf6e818 |
public.ecr.aws/lambda/nodejs:24-preview |
public.ecr.aws/lambda/nodejs@sha256:592e7661c80b13da0a74b3fa135770c746c70b4f6084d3732afc240d56787488 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:04b50ef91137a051b4a33b5e4ad1f0661edb09327016af10394dc995bbf6e818 |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:ece01c64da0c5e4788d95fbbb02801db904806cdaf50cd7d32ec0a2871524a89 |
Description
Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Remediation Steps
- Update the affected package
glob from version 10.4.5 to 11.1.0.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
