Weaponized file name flaw makes updating glob an urgent job

Infosec In Brief Researchers have urged users of the glob file pattern matching library to update their installations, after discovery of a years-old remote code execution flaw in the tool's CLI.

Glob is used to find files using wildcards, is typically run as a library API, and is an all but universal part of the JavaScript stack. This vulnerability lives in glob's CLI tool – specifically the tool’s –c flag used to execute commands on matching files.

Spotted by security researchers at automated infosec outfit AISLE, the 7.5-rated vuln (CVE-2025-64756) doesn’t impact every glob user.

It's there that the problem starts: Glob is programmed with shell: true enabled by default, meaning that whenever a file is found using glob's CLI tool with a –c flag it passes the file to a shell for execution. On POSIX systems, specifically (e.g., Linux, macOS, BSD, etc ...