Platform
nodejs
Component
color
Fixed in
5.0.2
5.0.2
CVE-2025-59143 affects the color Node.js package, posing a critical risk of full system compromise. The vulnerability allows for malicious code execution, potentially granting attackers complete control over affected systems. Versions of the package prior to 5.0.2 are vulnerable, and immediate action is required to mitigate the risk. A fix is available in version 5.0.2.
The impact of CVE-2025-59143 is severe. Upon installation, the malicious package grants attackers complete control over the affected system. This includes access to all stored secrets, keys, and sensitive data. The description explicitly states that simply removing the package is not sufficient, as the attacker may have already established a persistent presence. This vulnerability shares characteristics with supply chain attacks where malicious packages are injected into legitimate projects, leading to widespread compromise. The potential blast radius is significant, impacting any system running a vulnerable version of the color package.
This vulnerability was identified through ghsa-malware analysis (3507ec02d0eb24c87e1f7621140bb5e6a4a343308e7ee8af79ef7f84617f8577). While no specific exploit campaigns have been publicly linked to this CVE as of the publication date, the high CVSS score and the nature of the compromise (full system control) indicate a high probability of exploitation. It is likely to be added to the CISA KEV catalog given the severity and potential impact. Public proof-of-concept code is not currently available, but the potential for widespread compromise warrants immediate attention.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2025-59143 is to immediately upgrade the color package to version 5.0.2 or later. Due to the severity of the compromise, simply upgrading may not be enough. After upgrading, it is critical to rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. Consider using a software bill of materials (SBOM) tool to identify all dependencies and potential vulnerabilities within your Node.js projects. Implement robust package verification processes to prevent the installation of malicious packages in the future.
Update to version 5.0.2 or higher. Completely remove the node_modules directory, clear your package manager's global cache (npm or yarn), and rebuild all browser bundles from scratch. If you use a private registry or registry mirror, purge affected versions from any cache.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59143 is a HIGH severity vulnerability affecting the color Node.js package where installation leads to full system compromise, requiring immediate action.
You are affected if you are using the color Node.js package version 5.0.1 or earlier. Check your project dependencies immediately.
Upgrade the color package to version 5.0.2 or later. Rotate all secrets and keys stored on the affected system from a clean machine.
While no active exploitation campaigns have been publicly confirmed, the high severity and potential for compromise suggest a high probability of exploitation.
Refer to the official Node Package Manager (npm) advisory and the ghsa-malware report for detailed information: [https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330](https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.