Replies: 1 comment 2 replies
-
|
CVE-2025-64756 doesn't appear to be a real CVE (the numbering format suggests it might be from a scanning tool that generates pseudo-CVEs or a false positive). That said, the underlying concern is valid - Next.js v14's eslint-plugin-next does pin A few points:
If you need to override it immediately: Using npm: // package.json
{
"overrides": {
"@next/eslint-plugin-next": {
"glob": "^10.4.5"
}
}
}Using pnpm: # .pnpmfile.cjs or pnpm.overrides in package.json
pnpm:
overrides:
glob: ^10.4.5For Next.js team: If this is a legitimate vulnerability report, it would be worth bumping glob to latest 10.x in the next v14 patch release. Could you share where this CVE is documented? That would help clarify whether it's a real security issue or a scanner false positive. |
Beta Was this translation helpful? Give feedback.
-
|
Hey @tt-a1i , thanks for your answer. I'm aware that we can use overrides to fix the issue, I was just wondering if there would be an upstream fix. We need to resolve this security vulnerability in the context of SOC2 requirements. I'm not sure what you mean about "real vs not real CVE", you can check more details about it here => GHSA-5j98-mcp5-4vw2. |
Beta Was this translation helpful? Give feedback.
-
|
ah thanks for the ghsa link, that's legit - my bad for questioning it. for an upstream fix you'd probably need to open an issue or PR on the next.js repo. v14 is still getting patch releases so they'd likely merge a glob bump - should be a one-liner change. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
On v14 a vulnerable version (CVE-2025-64756) of
globis pinned.next.js/packages/eslint-plugin-next/package.json
Line 15 in 7b940d9
Are there any plans for an upgrade?
Additional information
No response
Example
No response
Beta Was this translation helpful? Give feedback.
All reactions