Symlink Vulnerability in zx CLI Tool by Google
CVE-2025-13437

5.6MEDIUM

Key Information:

Vendor: Google
Status: Zx
Vendor: CVE Published:; 20 November 2025

What is CVE-2025-13437?

A security flaw in the Google zx CLI tool arises when executing commands with the --prefer-local= option. This action can create a symbolic link pointing to the node_modules directory of a specified path. However, a logic error in the code causes the cleanup routine to mistakenly delete the target directory instead of the symlink, potentially resulting in the loss of entire node_modules from an external directory. This vulnerability highlights the risks associated with improper file handling in CLI tools.

Affected Version(s)

zx 8.8.4

References

https://github.com/google/zx/issues/1348

CVSS V4

Score:

5.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 20, 2025
Vulnerability Reserved
Nov 19, 2025

Credit

Ali Firas

JSON