nodejs
How to resolve the CVE-2025-64756 of glob?
Environment
- Platform:
- Docker Version:
- 24:
- 24-alpine:
Expected Behavior
No high vulnerabilities
Current Behavior
1 high vulnerability of glob.
Possible Solution
Steps to Reproduce
Additional Information
Docker scout says upgrading to version 11.1.0 would fix it, are there any breaking changes this would cause?
It was also reported in https://github.com/nodejs/node/issues/60792 which refers to https://github.com/npm/cli/issues/8741 where it ~~is being~~ has been fixed.
Note also the comment in the original posting of issue https://github.com/npm/cli/issues/8741 where it states that the vulnerability does not affect npm, and is therefore a false positive as far as npm, Node.js and Docker images with Node.js are concerned.
Notice that the CVE itself doesn't affect npm, as the issue is only in the cli interface of glob, while npm uses its library interface.
See also SECURITY for general discussion about handling upstream vulnerabilities.
It's not possible just to update glob to 11.1.0 on its own in a Docker image. That needs to be coordinated inside npm, which is bundled with Node.js. If you try to correct the issue on a standalone [email protected] installation (the version bundled in Node.js 24.11.1), it fails:
npm warn audit fix [email protected] node_modules/npm/node_modules/node-gyp/node_modules/glob
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/glob
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/tar
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
Should be fixed when
- [X] [email protected] is bundled into Node.js (see PR https://github.com/nodejs/node/pull/60853),
- [ ] then new Node.js releases are made, and
- [ ] new node Docker images are built based on them.
Edit: see also https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/217
The PR already is merged about 14 hours ago, any update on the release timeline of the official Docker node base images, based on this update?
@manisha-11-dev
The PR already is merged about 14 hours ago, any update on the release timeline of the official Docker node base images, based on this update?
There can't be an update to a Docker image until there is a new release of Node.js. You can track releases of Node.js by going to https://github.com/nodejs/node and selecting Watch, then Custom and Subscribe to Releases.
For people still waiting for an official Node release with the updated NPM version, a quick workaround is to run this in your current Docker images (it requires root user):
npm install -g npm@latest
