The Node Glob CLI is a utility for matching files using patterns. It's commonly used in CI/CD pipelines to filter files. However, due to a command injection vulnerability in its -c/--cmd option, an attacker can execute arbitrary commands when processing files with malicious names.
Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.
To fix this vulnerability, upgrade to Node Glob CLI versions 10.5.0, 11.1.0, or later. You can do this by running:
npm install --save-dev glob@10.5.0
Alternatively, you can use immediate mitigations if an upgrade isn't possible:
- Restrict network access to your CI/CD pipeline
- Audit files for suspicious patterns
- Monitor for unauthorized file modifications