CVE-2025-13437 — zx Uses Incorrectly-Resolved Name or Reference

Description

When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.

How to fix CVE-2025-13437

To remediate CVE-2025-13437, upgrade the affected package to a fixed version below.

—upgrade to 8.8.5 or later

Is CVE-2025-13437 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 8.8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:U

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-13437
PATCHgithub.com/google/zx
WEBgithub.com/google/zx/commit/9ef6d3c9962c4ba01e3fb8075855570c192b4681
WEBgithub.com/google/zx/commit/a4d1bc2467f305f1c91d62506e215f307dc1fbeb
WEB