CVE-2025-13437

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

CVE-2025-13437

creationtimestamp| type| source ---|---|--- 2025-11-20 19:59:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3m63klfondq2s...

@1wen/tools (>=3.11.3 <=3.11.32), @2en/clawly-plugins (>=1.1.0 <=1.49.0-beta.4) +679 more potentially affected by CVE-2025-13437 via zx (>=1.14.2 <=8.8.5-lite)

zx NPM version =1.14.2, =3.11.3, =1.1.0, =0.1.1, =0.1.0, =0.0.2, =0.0.1, =0.8.0, =1.0.0, =1.0.0, =0.0.3, =0.4.0, =1.0.1, =1.0.5 and more Source cves: CVE-2025-13437 Source advisory: OSV:GHSA-W87R-VG9Q-CRQM...

CVE-2025-13437

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

CVE-2025-13437

ZX contains a vulnerability (CVE-2025-13437) where, when invoked with --prefer-local=, the CLI creates a symlink ./node_modules to the specified path and a logic error in src/cli.ts (linkNodeModules/cleanup) returns the target path instead of the symlink path. The subsequent cleanup can delete th...