Plateforme
nodejs
Composant
color
Corrigé dans
5.0.2
5.0.2
CVE-2025-59143 affects the color Node.js package, posing a critical risk of full system compromise. The vulnerability allows for malicious code execution, potentially granting attackers complete control over affected systems. Versions of the package prior to 5.0.2 are vulnerable, and immediate action is required to mitigate the risk. A fix is available in version 5.0.2.
The impact of CVE-2025-59143 is severe. Upon installation, the malicious package grants attackers complete control over the affected system. This includes access to all stored secrets, keys, and sensitive data. The description explicitly states that simply removing the package is not sufficient, as the attacker may have already established a persistent presence. This vulnerability shares characteristics with supply chain attacks where malicious packages are injected into legitimate projects, leading to widespread compromise. The potential blast radius is significant, impacting any system running a vulnerable version of the color package.
This vulnerability was identified through ghsa-malware analysis (3507ec02d0eb24c87e1f7621140bb5e6a4a343308e7ee8af79ef7f84617f8577). While no specific exploit campaigns have been publicly linked to this CVE as of the publication date, the high CVSS score and the nature of the compromise (full system control) indicate a high probability of exploitation. It is likely to be added to the CISA KEV catalog given the severity and potential impact. Public proof-of-concept code is not currently available, but the potential for widespread compromise warrants immediate attention.
Developers and organizations using the color Node.js package in their projects are at risk. This includes those deploying Node.js applications in production environments, particularly those handling sensitive data or secrets. Shared hosting environments where multiple users may have access to the same Node.js installation are also at increased risk.
• nodejs / supply-chain:
npm list colorThis command will list the installed version of the color package. If the version is less than or equal to 5.0.1, the system is vulnerable.
• nodejs / supply-chain:
npm audit | grep colorThis command will check for known vulnerabilities in your project's dependencies, including the color package.
• nodejs / supply-chain:
npm audit fixThis command attempts to automatically fix vulnerabilities in your project's dependencies. However, manual verification is still required after running this command.
disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 25%)
CISA SSVC
The primary mitigation for CVE-2025-59143 is to immediately upgrade the color package to version 5.0.2 or later. Due to the severity of the compromise, simply upgrading may not be enough. After upgrading, it is critical to rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. Consider using a software bill of materials (SBOM) tool to identify all dependencies and potential vulnerabilities within your Node.js projects. Implement robust package verification processes to prevent the installation of malicious packages in the future.
Actualice a la versión 5.0.2 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes (npm o yarn) y reconstruya todos los bundles del navegador desde cero. Si utiliza un registro privado o un espejo de registro, purgue las versiones afectadas de cualquier caché.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-59143 is a HIGH severity vulnerability affecting the color Node.js package where installation leads to full system compromise, requiring immediate action.
You are affected if you are using the color Node.js package version 5.0.1 or earlier. Check your project dependencies immediately.
Upgrade the color package to version 5.0.2 or later. Rotate all secrets and keys stored on the affected system from a clean machine.
While no active exploitation campaigns have been publicly confirmed, the high severity and potential for compromise suggest a high probability of exploitation.
Refer to the official Node Package Manager (npm) advisory and the ghsa-malware report for detailed information: [https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330](https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.