Plateforme
nodejs
Composant
is-arrayish
Corrigé dans
0.3.4
0.3.4
CVE-2025-59331 represents a critical security issue involving the is-arrayish Node.js package. This vulnerability stems from a malicious compromise where attackers injected malware into the package, granting them potential full control over affected systems. Versions of is-arrayish prior to 0.3.4 are vulnerable, and immediate action is required to mitigate the risk. A fix has been released in version 0.3.4.
The impact of CVE-2025-59331 is severe. The compromised package allows attackers to execute arbitrary code on systems where it's installed. This effectively grants them complete control, enabling them to steal sensitive data, install persistent malware, and potentially pivot to other systems within the network. The description explicitly states that any computer with the compromised package should be considered fully compromised, emphasizing the need for immediate and thorough remediation. The attacker could exfiltrate API keys, database credentials, and other sensitive information. Given the nature of Node.js applications, this could impact web servers, backend services, and desktop applications.
This vulnerability was identified through the ghsa-malware feed, indicating a known malware injection. The public disclosure date of 2025-09-08 suggests relatively recent discovery. Given the package's widespread use in Node.js projects, the potential for exploitation is high. There are currently no known active campaigns targeting this specific vulnerability, but the severity warrants proactive monitoring and remediation. It is not listed on the CISA KEV catalog at the time of writing.
Developers and organizations using Node.js and relying on the is-arrayish package in their projects are at significant risk. This includes those using shared hosting environments where package dependencies are managed centrally. Projects that haven't implemented robust dependency scanning and vulnerability management practices are particularly vulnerable.
• nodejs / supply-chain:
npm list is-arrayish• nodejs / supply-chain:
npm audit is-arrayish• generic web:
Inspect package.json files for is-arrayish versions <= 0.3.3. Review system logs for any unusual activity related to the package installation or execution.
disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 25%)
CISA SSVC
The primary mitigation for CVE-2025-59331 is to immediately upgrade the is-arrayish package to version 0.3.4 or later. Due to the severity of the compromise, simply updating the package may not be sufficient. It is strongly recommended to rotate all secrets and keys stored on affected systems from a clean, uncompromised machine. After removing the malicious package, perform a thorough system scan to detect and remove any residual malware. Consider using a reputable malware removal tool and reviewing system logs for suspicious activity. There are no WAF or proxy rules that can effectively mitigate this vulnerability; the core issue is the compromised package itself.
Actualice a la versión 0.3.4 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes y reconstruya cualquier paquete de navegador desde cero. Si opera registros privados o espejos de registro, purgue las versiones afectadas de cualquier caché.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-59331 is a HIGH severity vulnerability where the is-arrayish Node.js package was maliciously compromised with malware, potentially granting attackers full control over affected systems.
You are affected if you are using is-arrayish version 0.3.3 or earlier. Any system with this package installed should be considered compromised.
Upgrade is-arrayish to version 0.3.4 or later. Rotate all secrets and keys stored on affected systems from a clean machine, and perform a thorough system scan.
While there are no confirmed active campaigns targeting this vulnerability at this time, the severity warrants proactive monitoring and remediation.
Refer to the npm advisory and related security reports for details: [https://www.npmjs.com/advisories/1130](https://www.npmjs.com/advisories/1130)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.