Improper File Handling

zx is vulnerable to Improper File Handling. The vulnerability is due to a logic error in the linkNodeModules and cleanup routines when using the --prefer-local option, which allows unintended deletion of an external /nodemodules directory outside the current working directory...

GHSA-W87R-VG9Q-CRQM zx Uses Incorrectly-Resolved Name or Reference

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

zx Uses Incorrectly-Resolved Name or Reference

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

CVE-2025-13437

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

Use of Incorrectly-Resolved Name or Reference

Overview zx is an A tool for writing better scripts Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the linkNodeModules function. An attacker can cause deletion of arbitrary directories by supplying a crafted path to the --prefer-local...

CVE-2025-13437

ZX contains a vulnerability (CVE-2025-13437) where, when invoked with --prefer-local=, the CLI creates a symlink ./node_modules to the specified path and a logic error in src/cli.ts (linkNodeModules/cleanup) returns the target path instead of the symlink path. The subsequent cleanup can delete th...

CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...