关键漏洞信息 CVE ID: CVE-2025-64756 Severity: 7.5/10 (High) Summary Vulnerability: Command injection in CLI. Affected Versions: v10.3.7 through v11.0.3 (CLI component only). Patched Versions: 11.1.0. Technical Details Root Cause: Vulnerability in where the CLI passes matched filenames to a shell with . Attack Surface Files with shell metacharacters in names. Any directory where filenames are controlled. CI/CD pipelines using on untrusted content. PoC Create a file with a command injection payload in the filename: . Execute to trigger the vulnerability. Impact Arbitrary Command Execution: Full privileges. No Privilege Escalation Required: Runs as current user. Access to Environment Variables: File system and network. Real-World Attack Scenarios 1. CI/CD Pipeline Compromise 2. Developer Workstation Attack 3. Automated Processing Systems 4. Supply Chain Poisoning Remediation Upgrade to or higher. Convert commands containing positional arguments to or if CLI actions fail. Use to maintain behavior until but avoid untrusted content.