Platform
nodejs
Component
is-arrayish
Fixed in
0.3.4
0.3.4
CVE-2025-59331 represents a critical security issue involving the is-arrayish Node.js package. This vulnerability stems from a malicious compromise where attackers injected malware into the package, granting them potential full control over affected systems. Versions of is-arrayish prior to 0.3.4 are vulnerable, and immediate action is required to mitigate the risk. A fix has been released in version 0.3.4.
The impact of CVE-2025-59331 is severe. The compromised package allows attackers to execute arbitrary code on systems where it's installed. This effectively grants them complete control, enabling them to steal sensitive data, install persistent malware, and potentially pivot to other systems within the network. The description explicitly states that any computer with the compromised package should be considered fully compromised, emphasizing the need for immediate and thorough remediation. The attacker could exfiltrate API keys, database credentials, and other sensitive information. Given the nature of Node.js applications, this could impact web servers, backend services, and desktop applications.
This vulnerability was identified through the ghsa-malware feed, indicating a known malware injection. The public disclosure date of 2025-09-08 suggests relatively recent discovery. Given the package's widespread use in Node.js projects, the potential for exploitation is high. There are currently no known active campaigns targeting this specific vulnerability, but the severity warrants proactive monitoring and remediation. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2025-59331 is to immediately upgrade the is-arrayish package to version 0.3.4 or later. Due to the severity of the compromise, simply updating the package may not be sufficient. It is strongly recommended to rotate all secrets and keys stored on affected systems from a clean, uncompromised machine. After removing the malicious package, perform a thorough system scan to detect and remove any residual malware. Consider using a reputable malware removal tool and reviewing system logs for suspicious activity. There are no WAF or proxy rules that can effectively mitigate this vulnerability; the core issue is the compromised package itself.
Update to version 0.3.4 or higher. Completely remove the node_modules directory, clear your package manager's global cache, and rebuild any browser packages from scratch. If you operate private registries or registry mirrors, purge affected versions from any cache.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59331 is a HIGH severity vulnerability where the is-arrayish Node.js package was maliciously compromised with malware, potentially granting attackers full control over affected systems.
You are affected if you are using is-arrayish version 0.3.3 or earlier. Any system with this package installed should be considered compromised.
Upgrade is-arrayish to version 0.3.4 or later. Rotate all secrets and keys stored on affected systems from a clean machine, and perform a thorough system scan.
While there are no confirmed active campaigns targeting this vulnerability at this time, the severity warrants proactive monitoring and remediation.
Refer to the npm advisory and related security reports for details: [https://www.npmjs.com/advisories/1130](https://www.npmjs.com/advisories/1130)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.