3 matches found
CVE-2025-13437
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
@1wen/tools (>=3.11.3 <=3.11.32), @2en/clawly-plugins (>=1.1.0 <=1.49.0-beta.4) +679 more potentially affected by CVE-2025-13437 via zx (>=1.14.2 <=8.8.5-lite)
zx NPM version =1.14.2, =3.11.3, =1.1.0, =0.1.1, =0.1.0, =0.0.2, =0.0.1, =0.8.0, =1.0.0, =1.0.0, =0.0.3, =0.4.0, =1.0.1, =1.0.5 and more Source cves: CVE-2025-13437 Source advisory: OSV:GHSA-W87R-VG9Q-CRQM...
CVE-2025-13437
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...