vulnerability
Red Hat JBoss EAP: CVE-2025-64756: OS Command Injection
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:S/C:C/I:C/A:C) | Nov 17, 2025 | Dec 4, 2025 | Dec 4, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
Published
Nov 17, 2025
Added
Dec 4, 2025
Modified
Dec 4, 2025
Description
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.. A flaw was found in glob. This vulnerability allows arbitrary command execution via processing files with malicious names when the glob command-line interface (CLI) is used with the -c/--cmd option, enabling shell metacharacters to trigger command injection.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-78
- CVE-2025-64756
- https://attackerkb.com/topics/CVE-2025-64756
- URL-https://access.redhat.com/security/cve/CVE-2025-64756
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2415451
- URL-https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146
- URL-https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.