Platform
nodejs
Component
color-convert
Fixed in
3.1.2
3.1.2
CVE-2025-59162 represents a critical security issue involving the color-convert Node.js package. The package was maliciously compromised, with attackers injecting malware directly into the codebase. This poses a significant threat to any system utilizing affected versions (≤3.1.1), as it grants attackers full control. A fix is available in version 3.1.2.
The impact of CVE-2025-59162 is severe. Because the package was directly compromised, any system running an affected version is considered fully compromised. This means an attacker can execute arbitrary code with the privileges of the application using the color-convert package. All secrets and keys stored on the compromised system are at risk of exfiltration. The attacker could establish persistence, move laterally within the network, and potentially compromise other systems. The description explicitly states that removing the package doesn't guarantee removal of all malicious software, highlighting the depth of the compromise.
This vulnerability was identified through the ghsa-malware program, indicating a deliberate supply chain attack. The EPSS score is likely high, reflecting the severe impact and potential for widespread compromise. Public proof-of-concept code is not yet available, but the nature of the compromise suggests active exploitation is possible. The vulnerability was published on 2025-09-08.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2025-59162 is to immediately upgrade the color-convert package to version 3.1.2 or higher. Given the severity, a rollback is not recommended; attempting to revert to a previous version will simply reintroduce the vulnerability. Consider using a software composition analysis (SCA) tool to identify other potentially compromised dependencies within your project. Thoroughly review system logs for any suspicious activity following the compromise. Rotate all secrets and keys stored on affected systems from a clean, uncompromised machine. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level compromise.
Update to version 3.1.2 or higher. Completely remove the node_modules directory, clear your package manager's global cache, and rebuild any browser packages from scratch. If you operate private registries or registry mirrors, purge affected versions from any cache.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59162 is a HIGH severity vulnerability where the color-convert Node.js package was compromised, resulting in the injection of malicious code. This allows attackers to gain full control of affected systems.
You are affected if your project uses color-convert version 3.1.1 or earlier. Immediately check your dependencies and upgrade to mitigate the risk.
Upgrade the color-convert package to version 3.1.2 or higher using npm or yarn. Also, rotate all secrets and keys stored on affected systems.
While no public exploits are currently available, the nature of the compromise suggests active exploitation is possible. Monitor your systems closely for suspicious activity.
Refer to the ghsa-malware report and related security advisories for more information. Check the npm registry for updates and announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.