Upgrade glob on Next.js v14 ?

[enzoferey]

Summary

On v14 a vulnerable version (CVE-2025-64756) of glob is pinned.

next.js/packages/eslint-plugin-next/package.json

Line 15 in 7b940d9

"glob": "10.3.10"

Are there any plans for an upgrade?

Additional information

No response

Example

No response

[tt-a1i]

CVE-2025-64756 doesn't appear to be a real CVE (the numbering format suggests it might be from a scanning tool that generates pseudo-CVEs or a false positive).

That said, the underlying concern is valid - Next.js v14's eslint-plugin-next does pin glob@10.3.10.

A few points:

1. This is in eslint-plugin-next - a development-time dependency only, not shipped to production
2. glob 10.x is actively maintained - if there were a real vulnerability, isaacs would have patched it
3. Verify the CVE source - check if this is from npm audit, Snyk, or another scanner. Some tools generate advisory IDs that aren't real CVEs

If you need to override it immediately:

Using npm:

// package.json
{
  "overrides": {
    "@next/eslint-plugin-next": {
      "glob": "^10.4.5"
    }
  }
}

Using pnpm:

# .pnpmfile.cjs or pnpm.overrides in package.json
pnpm:
  overrides:
    glob: ^10.4.5

For Next.js team: If this is a legitimate vulnerability report, it would be worth bumping glob to latest 10.x in the next v14 patch release.

Could you share where this CVE is documented? That would help clarify whether it's a real security issue or a scanner false positive.

[enzoferey]

Hey @tt-a1i , thanks for your answer. I'm aware that we can use overrides to fix the issue, I was just wondering if there would be an upstream fix. We need to resolve this security vulnerability in the context of SOC2 requirements.

I'm not sure what you mean about "real vs not real CVE", you can check more details about it here => GHSA-5j98-mcp5-4vw2.

[tt-a1i]

ah thanks for the ghsa link, that's legit - my bad for questioning it.

for an upstream fix you'd probably need to open an issue or PR on the next.js repo. v14 is still getting patch releases so they'd likely merge a glob bump - should be a one-liner change.

[chrisdenton-ct]

I've also been affected by this vulnerability, though it's not clear to me that any fix is in the pipeline.

I see the issue raised by the OP has been auto-closed without action: #87126

Is there a way we can get this re-raised or re-opened?

The requirement to point to a public repo where the bug can be reproduced seems like it might not be applicable in this case. Though I think that pointing to any public repo that has Next.js 14.2.35 as a dependency would cover it.

[enzoferey]

When I opened the issue, I provided the URL of the Next.js source code I linked in the description of this discussion. So it's public, not sure why it auto-closed 🤷🏻‍♂️

Anyways, I had to solve by:

"overrides": {
    "@next/eslint-plugin-next": {
      "glob": "10.5.0"
    }
}

A fix upstream would be helpful. Newer Next.js versions don't have this issue though, they moved to fast-glob.