CVE-2025-13437 – Arbitrary node_modules Directory Deletion in Google zx

CVE ID : CVE-2025-13437

Published : Nov. 20, 2025, 4:25 p.m. | 48 minutes ago

Description : When zx is invoked with –prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.

Severity: 5.6 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…