CVE-2025-13437 in Google
Summary
by MITRE • 11/20/2025
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability described in CVE-2025-13437 resides within the zx command-line interface tool, specifically in how it handles the --prefer-local flag functionality. This issue manifests when users invoke zx with the --prefer-local=<path> parameter, which is designed to prioritize local node_modules directories for dependency resolution. The tool creates a symbolic link named ./node_modules that points to <path>/node_modules, establishing a mechanism for local dependency management. However, a critical logic error exists in the implementation within src/cli.ts file, specifically within the linkNodeModules and cleanup functions that govern this behavior.
The technical flaw stems from a fundamental error in the symlink creation process where the system returns the target path rather than the alias path during the link creation routine. This seemingly minor error has severe consequences as it fundamentally misdirects the cleanup mechanism. When the cleanup routine executes, it operates on what it believes to be the symlink path but actually receives the target directory path instead. This misalignment causes the system to attempt deletion of the actual target directory rather than the symbolic link itself, resulting in unintended and potentially catastrophic file system modifications.
The operational impact of this vulnerability extends beyond simple file system manipulation, creating a potential attack vector for unauthorized directory deletion. When zx processes the --prefer-local flag with an external path, the cleanup routine may inadvertently remove entire directory structures outside the current working directory boundaries. This behavior violates the principle of least privilege and could allow attackers to delete critical system directories or user data if they can control the <path> parameter. The vulnerability essentially creates a privilege escalation scenario where a command-line tool can delete arbitrary directories, potentially compromising system integrity and data availability.
This vulnerability maps directly to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution) within the Common Weakness Enumeration framework, highlighting the dangerous combination of improper path handling and symbolic link management. The issue also aligns with ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1485 (Data Destruction) as it could enable both command execution and data loss scenarios. Organizations using zx with elevated privileges or in automated environments face particular risk, as the vulnerability could be exploited to remove critical dependencies or system components. The mitigation strategy requires immediate patching of the src/cli.ts file to correct the return value in the linkNodeModules function and ensure proper cleanup routine behavior. Additionally, users should avoid using the --prefer-local flag with untrusted or external paths, and system administrators should implement strict input validation for all command-line parameters that influence directory operations.