CVE-2025-13437
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-20
Assigner: Google Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zx | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when the zx CLI is run with the --prefer-local=<path> option. The CLI creates a symbolic link named ./node_modules pointing to <path>/node_modules. Due to a logic error in the code, the cleanup function mistakenly deletes the target directory (<path>/node_modules) instead of just the symlink. This means zx can delete an external node_modules directory outside the current working directory unintentionally.
How can this vulnerability impact me? :
The vulnerability can lead to unintended deletion of important directories outside the current working directory, specifically the external <path>/node_modules directory. This can cause loss of dependencies, disruption of development environments, and potential data loss.