Описание
zx Uses Incorrectly-Resolved Name or Reference
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-13437
- https://github.com/google/zx/issues/1348
- https://github.com/google/zx/pull/1349
- https://github.com/google/zx/pull/1355
- https://github.com/google/zx/commit/9ef6d3c9962c4ba01e3fb8075855570c192b4681
- https://github.com/google/zx/commit/a4d1bc2467f305f1c91d62506e215f307dc1fbeb
Пакеты
zx
< 8.8.5
8.8.5
Связанные уязвимости
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.