Problem/Motivation

There is a new vulnerability came out a couple of weeks ago: CVE-2025-64756.

Steps to reproduce

Just execute "npm audit" inside of /web/core folder. You will get this message:

glob 10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix --force`
Will install glob@10.5.0, which is outside the stated dependency range

Steps to reproduce

Proposed resolution

Remaining tasks

An MR for 10.6

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3562214

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

lobodakyrylo created an issue. See original summary.

lobodakyrylo’s picture

lobodakyrylo commented
Issue summary: View changes
quietone’s picture

quietone commented
Version: 10.6.x-dev » 11.x-dev
Issue summary: View changes
Status: Needs work » Active

I asked about this in committer slack and longwave pointed out that "glob is only used by a handful of build scripts, it's not exposed to anything else". But we agree it would good to upgrade to prevent the message from an audit.

This needs to be done on 11.x too.

quietone opened merge request !14268

quietone’s picture

quietone commented
Title: Upgrade glob to latest possible version because of CVE-2025-64756 » Upgrade glob because of CVE-2025-64756
Issue summary: View changes
Status: Active » Needs review
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Needs work
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

Also opened #3566464: Move core/package.json to the repository root to discuss moving these deps to the repo root as it's only needed for building core, not running Drupal itself.

quietone’s picture

quietone commented
Status: Needs work » Needs review

Version changed to use "^".

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Seems straight forward. Do we still use the needs backport tag?

  • longwave committed 0f86723a on 11.3.x 
    task: #3562214 Upgrade glob because of CVE-2025-64756

By: lobodakyrylo...

  • longwave committed 44a2548e on 11.x 
    task: #3562214 Upgrade glob because of CVE-2025-64756

By: lobodakyrylo...
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Version: 11.x-dev » 10.6.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Committed and pushed 44a2548e982 to 11.x and 0f86723a75a to 11.3.x. Thanks!

Let's backport this to 10.6.x as well.

longwave closed merge request !14268

smustgrave’s picture

smustgrave commented

Are we sure we want to backport? This is a major version jump on 10.6 that we weren't on 11.x

godotislate’s picture

godotislate
he/him
commented

For 10.6.x, we can probably bump glob to latest 10.5: https://github.com/advisories/GHSA-5j98-mcp5-4vw2

smustgrave opened merge request !15372

smustgrave’s picture

smustgrave commented
Status: Patch (to be ported) » Reviewed & tested by the community

Okay did that!

godotislate closed merge request !15372

  • godotislate committed 6a92fd39 on 10.6.x 
    task: #3562214 Upgrade glob because of CVE-2025-64756

By: lobodakyrylo...
godotislate’s picture

godotislate
he/him
commented
Status: Reviewed & tested by the community » Fixed

Committed 6a92fd3 and pushed to 10.6.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.