Skip to content

CVE-2025-64756: Bump glob dependency to 10.5.0 #3947

New issue
New issue
Open
Open
CVE-2025-64756: Bump glob dependency to 10.5.0#3947
Labels
bugSomething isn't workingnewUn-triaged issue
@jvyang

Description

@jvyang
jvyang
opened on Dec 3, 2025

Expected Behavior

npm audit passes with vulnerabilities.

Actual Behavior

npm audit fails with vulnerabilities.

  • glob CLI: Command injection via -c/--cmd executes matches with shell:true (CVE-2025-64756)
  • brace-expansion Regular Expression Denial of Service vulnerability (CVE-2025-5889)

Steps to Reproduce

npm install or npm audit

Versions

language: typescript
node: 24
cdktf: 0.21.0

Providers

No response

Gist

No response

Possible Solutions

Bump glob to 10.5.0.

Workarounds

No response

Anything Else?

No response

References

No response

Help Wanted

  • I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingnewUn-triaged issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions