Platform
nodejs
Component
debug
Fixed in
4.4.3
4.4.3
CVE-2025-59144 represents a critical security issue stemming from a malicious compromise of the Nodejs debug package. This compromise resulted in the injection of malicious code, potentially granting attackers complete control over affected systems. The vulnerability impacts versions of Nodejs debug up to and including 4.4.2, with a fix released in version 4.4.3.
The impact of CVE-2025-59144 is severe. The malicious code injected into the package allows an attacker to gain full control of the system where the package is installed and running. This includes the ability to access and exfiltrate sensitive data, install additional malware, and potentially pivot to other systems on the network. The description explicitly states that all secrets and keys stored on the compromised computer should be rotated immediately from a different, trusted machine, highlighting the potential for widespread data breaches and credential theft. The scope of the compromise extends beyond the immediate application using the package; the entire system is considered fully compromised.
This vulnerability was identified through a ghsa-malware report, indicating a supply chain attack. The EPSS score is likely high, reflecting the potential for widespread exploitation given the nature of compromised packages. Public proof-of-concept exploits are likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on September 8, 2025.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2025-59144 is to immediately upgrade to Nodejs debug version 4.4.3 or higher. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider removing the package entirely. However, given the extent of the compromise, simply removing the package is not sufficient. A thorough forensic investigation of the affected system is crucial to identify and remove any additional malicious components that may have been installed. After upgrading, confirm the integrity of the system by scanning for suspicious processes, files, and registry entries. Consider using a reputable anti-malware solution to perform a full system scan.
Update to version 4.4.3 or higher. Completely remove the node_modules directory, clear your package manager's global cache, and rebuild any browser packages from scratch. If you operate private registries or registry mirrors, purge affected versions from any cache.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59144 is a HIGH severity vulnerability where malicious code was injected into the Nodejs debug package, potentially granting attackers full control over affected systems.
You are affected if you are using Nodejs debug version 4.4.2 or earlier. Check your installed version using npm ls debug.
Upgrade to Nodejs debug version 4.4.3 or higher. If upgrading is not possible, remove the package and rotate all secrets stored on the affected system.
While active exploitation is not yet confirmed, the nature of the vulnerability (supply chain compromise) suggests a high probability of exploitation.
Refer to the Nodejs security advisories and the ghsa-malware report for details: [https://github.com/advisories/ghsa-malware](https://github.com/advisories/ghsa-malware)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.