{
  "threat_severity" : "Moderate",
  "public_date" : "2025-11-20T16:25:16Z",
  "bugzilla" : {
    "description" : "zx: Arbitrary node_modules Directory Deletion in Google zx",
    "id" : "2416152",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2416152"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-706",
  "details" : [ "When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.", "A link traversal flaw has been discovered in Google's zx library. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory." ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-agent-installer-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-13437\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13437\nhttps://github.com/google/zx/issues/1348" ],
  "name" : "CVE-2025-13437",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}