Platform
nodejs
Component
color-string
Fixed in
2.1.2
2.1.2
CVE-2025-59142 represents a critical malware injection vulnerability discovered in the color-string Node.js package. This vulnerability allows attackers to gain full control of affected systems, potentially exfiltrating sensitive data and establishing persistent backdoors. Versions of color-string less than or equal to 2.1.1 are vulnerable. A fix is available in version 2.1.2.
The impact of CVE-2025-59142 is severe. The package was deliberately compromised, with malicious code injected directly into the codebase. This code grants attackers complete control over any system where the vulnerable package is installed and running. Attackers can execute arbitrary commands, access and steal sensitive data (including API keys, database credentials, and other secrets), and potentially establish a persistent presence on the compromised system. The description explicitly states that any computer with the package installed should be considered fully compromised, emphasizing the need for immediate action. This type of supply chain attack, where a legitimate package is subverted, is particularly dangerous because it can affect a wide range of downstream applications and systems.
This vulnerability was identified through ghsa-malware analysis (f96d7c74748e121e50b19198355b3f8f9f8ba84bcfd1731896fcf4b9ebc76370). While no specific exploit campaigns have been publicly reported as of the publication date, the nature of the compromise – malicious code directly injected into a widely used package – suggests a high probability of exploitation. The EPSS score is likely to be high, reflecting the ease of exploitation and the potential for widespread impact. The vulnerability was publicly disclosed on 2025-09-08.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2025-59142 is to immediately upgrade to version 2.1.2 or higher of the color-string package. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily removing the package from your project. Crucially, regardless of whether you upgrade or remove the package, you must rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability, as the malicious code is embedded within the package itself. Monitor your Node.js dependency tree for any signs of compromise and regularly audit your dependencies.
Update the color-string dependency to version 2.1.2 or higher. If you used version 2.1.1 in a browser environment, rebuild your packages to remove the malware. Verify the integrity of your cryptocurrency wallets and recent transactions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59142 is a HIGH severity malware injection vulnerability affecting the color-string Node.js package. Malicious code was added, potentially granting attackers full control of affected systems.
You are affected if you are using color-string version 2.1.1 or earlier. Any system with this package installed should be considered fully compromised.
Upgrade to version 2.1.2 or higher. If upgrading is not possible, remove the package and immediately rotate all secrets stored on the affected system.
While no active campaigns have been publicly reported, the nature of the compromise suggests a high probability of exploitation.
Refer to the official advisory on the npm website or the color-string project's repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.