How to resolve the CVE-2025-64756 of glob？

[GaoJianAllen]

Environment

• Platform:
• Docker Version:
• 24:
• 24-alpine:

Expected Behavior

No high vulnerabilities

Current Behavior

1 high vulnerability of glob.

Possible Solution

Steps to Reproduce

Additional Information

[PaulMares]

Docker scout says upgrading to version 11.1.0 would fix it, are there any breaking changes this would cause?

[MikeMcC399]

It was also reported in nodejs/node#60792 which refers to npm/cli#8741 where it is being has been fixed.

Note also the comment in the original posting of issue npm/cli#8741 where it states that the vulnerability does not affect npm, and is therefore a false positive as far as npm, Node.js and Docker images with Node.js are concerned.

Notice that the CVE itself doesn't affect npm, as the issue is only in the cli interface of glob, while npm uses its library interface.

See also SECURITY for general discussion about handling upstream vulnerabilities.

It's not possible just to update glob to 11.1.0 on its own in a Docker image. That needs to be coordinated inside npm, which is bundled with Node.js. If you try to correct the issue on a standalone npm@11.6.2 installation (the version bundled in Node.js 24.11.1), it fails:

npm warn audit fix glob@10.4.5 node_modules/npm/node_modules/node-gyp/node_modules/glob
npm warn audit fix glob@10.4.5 is a bundled dependency of
npm warn audit fix glob@10.4.5 npm@11.6.2 at node_modules/npm
npm warn audit fix glob@10.4.5 It cannot be fixed automatically.
npm warn audit fix glob@10.4.5 Check for updates to the npm package.
npm warn audit fix glob@11.0.3 node_modules/npm/node_modules/glob
npm warn audit fix glob@11.0.3 is a bundled dependency of
npm warn audit fix glob@11.0.3 npm@11.6.2 at node_modules/npm
npm warn audit fix glob@11.0.3 It cannot be fixed automatically.
npm warn audit fix glob@11.0.3 Check for updates to the npm package.
npm warn audit fix tar@7.5.1 node_modules/npm/node_modules/tar
npm warn audit fix tar@7.5.1 is a bundled dependency of
npm warn audit fix tar@7.5.1 npm@11.6.2 at node_modules/npm
npm warn audit fix tar@7.5.1 It cannot be fixed automatically.
npm warn audit fix tar@7.5.1 Check for updates to the npm package.

[MikeMcC399]

Should be fixed when

• npm@11.6.4 is bundled into Node.js (see PR deps: upgrade npm to 11.6.4 node#60853),
• then new Node.js releases are made, and
• new node Docker images are built based on them.

[manisha-11-dev]

The PR already is merged about 14 hours ago, any update on the release timeline of the official Docker node base images, based on this update?

[MikeMcC399]

@manisha-11-dev

The PR already is merged about 14 hours ago, any update on the release timeline of the official Docker node base images, based on this update?

There can't be an update to a Docker image until there is a new release of Node.js. You can track releases of Node.js by going to https://github.com/nodejs/node and selecting Watch, then Custom and Subscribe to Releases.

[Stolz]

For people still waiting for an official Node release with the updated NPM version, a quick workaround is to run this in your current Docker images (it requires root user):

npm install -g npm@latest