प्लेटफ़ॉर्म
nodejs
घटक
simple-swizzle
में ठीक किया गया
0.2.4
0.2.4
CVE-2025-59141 represents a critical security issue stemming from a malicious compromise of the simple-swizzle Node.js package. This compromise introduced malicious code directly into the package, resulting in a full system compromise for any system running the vulnerable version. Affected versions are those prior to 0.2.4. A fix has been released in version 0.2.4.
The impact of CVE-2025-59141 is severe. The malicious code injected into the simple-swizzle package grants attackers complete control over the affected system. This includes the ability to access and exfiltrate sensitive data, install additional malware, and potentially pivot to other systems on the network. The description explicitly states that any computer with the compromised package installed should be considered fully compromised, emphasizing the critical nature of this vulnerability. The attacker effectively gains root access and can perform any action the user of the package can, and more.
This vulnerability was identified as part of a malware supply chain attack. It is listed on the GitHub Security Advisories and is considered a high-risk event. Public proof-of-concept code is not readily available, but the severity and nature of the compromise suggest that attackers may be actively exploiting this vulnerability. The vulnerability was published on 2025-09-08.
Developers and organizations using the simple-swizzle Node.js package in their projects are at risk. This includes those deploying applications to production environments, as well as development and testing environments. Specifically, projects relying on this package for image manipulation or processing are particularly vulnerable.
• nodejs / supply-chain:
npm list simple-swizzle
npm audit simple-swizzle• linux / server:
ps aux | grep simple-swizzle
journalctl -u node | grep simple-swizzle• generic web:
Inspect your package.json file for simple-swizzle and verify the version is >= 0.2.4. Check for any unusual network connections originating from Node.js processes.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.09% (25% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-59141 is to immediately upgrade the simple-swizzle package to version 0.2.4 or higher. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily removing the package from your project. Crucially, regardless of whether you upgrade or remove the package, you must rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. There are no WAF or proxy rules that can effectively mitigate this vulnerability as the malicious code is executed directly on the host system. Detection signatures are difficult to create without specific knowledge of the injected code, but monitoring for unusual process activity originating from the simple-swizzle package is recommended.
Actualice a la versión 0.2.4 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes y reconstruya cualquier paquete de navegador desde cero. Si opera registros privados o espejos de registro, purgue las versiones afectadas de cualquier caché.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-59141 is a HIGH severity vulnerability where the simple-swizzle Node.js package was compromised with malicious code, leading to full system control.
You are affected if you are using simple-swizzle versions less than or equal to 0.2.3. Immediately check your project dependencies.
Upgrade to simple-swizzle version 0.2.4 or higher. Also, rotate all secrets and keys on the affected system.
While public proof-of-concept code is not readily available, the severity and nature of the compromise suggest active exploitation is possible.
Refer to the GitHub Security Advisories for details: [https://github.com/advisories/CVE-2025-59141](https://github.com/advisories/CVE-2025-59141)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।