CVE-2025-64756: npm(glob) vulnerability

[jkoch70]

Hi,

A new vulnerability for the glob library has been found last week: CVE-2025-64756.
By when can we expect a new NodeJS V22.x release containing an upgrade for the vulnerable glob library?

Regards,

Jens

[jkoch70]

Hi,

May I get an update on this issue?
We are about to create a release of our software at the beginning of next week and this issue is a blocker for us.

Regards,

Jens

[jkoch70]

Hi,

We want to release our components, this week.
By when can we expect a new NodeJS V22.x release containing an upgrade for the vulnerable glob library?

Regards,

Jens

[marco-ippolito]

Hi @jkoch70 you can check the release schedule
nodejs/Release#1001

[jkoch70]

Hi @marco-ippolito,

I cannot see a new release date there?
What did I miss?

Regards,

Jens

[marco-ippolito]

Nobody has volunteered for a release so there isnt one planned.

[richardlau]

There isn't anything in the pipeline in terms of updates for Node.js 22 in this area. Assuming the most recent release of npm 11 updated the glob dependency, we have no plans to update Node.js 22 to include npm 11.

[jkoch70]

Hi @richardlau,

The latest LTS version 24.11.1 of NodeJS includes npm version 11.6.2 and glob version 11.0.3.
As of the following vulnerability report the glob issue is fixed with version 11.1.0 and not with 11.0.3:
https://www.cve.org/CVERecord?id=CVE-2025-64756

What are your suggestions to get rid of this glob vulnerability?

Regards,

Jens

[RafaelGSS]

npm 11.6.4 includes glob 13.0.0, which was recently merged on main 5 days ago. It will be in the next v24 release. nodejs/node#60853

[jkoch70]

Hi @RafaelGSS,

By when can we expect a new v24 release?
Is it true that you don't plan to include this fix in the LTS v22 version?

Regards,

Jens

[RafaelGSS]

There's one v24 release planned for next week.

Is it true that you don't plan to include this fix in the LTS v22 version?

This CVE is unlikely to affect Node.js. It's an npm CVE, and users can always upgrade their npm version manually. e.g:

$ node -v
v22.21.1
$ npm -v
10.9.4
$ npm i -g npm
$ npm -v
11.6.4

Therefore, this has low priority for us since it doesn't expose any risk to Node.js users. Usually, people only complain because their security scanner shows it to them without assessing its real impact on their apps.

In other words, if npm doesn't land a patch to it on their v10.* line, this is unlikely to be "fixed" in Node.js v22.

cc: @nodejs/npm

[wraithgar]

Usually, people only complain because their security scanner shows it to them without assessing its real impact on their apps.

This is the case here. Users are not actually affected by this when using npm.

In other words, if npm doesn't land a patch to it on their v10.* line, this is unlikely to be "fixed" in Node.js v22.

npm 10 can not be patched for this:

$ npm view npm@next-10 engines
{ node: '^18.17.0 || >=20.5.0' }
$ npm view glob@11.1.0 engines
{ node: '20 || >=22' }

ETA: glob 10 does have a fix. There are no immediate plans to patch npm 10. npm 11 works in node 20, and as stated before users are not actually vulnerable here.