color-string
में ठीक किया गया
2.1.2
2.1.2
CVE-2025-59142 represents a critical malware injection vulnerability discovered in the color-string Node.js package. This vulnerability allows attackers to gain full control of affected systems, potentially exfiltrating sensitive data and establishing persistent backdoors. Versions of color-string less than or equal to 2.1.1 are vulnerable. A fix is available in version 2.1.2.
The impact of CVE-2025-59142 is severe. The package was deliberately compromised, with malicious code injected directly into the codebase. This code grants attackers complete control over any system where the vulnerable package is installed and running. Attackers can execute arbitrary commands, access and steal sensitive data (including API keys, database credentials, and other secrets), and potentially establish a persistent presence on the compromised system. The description explicitly states that any computer with the package installed should be considered fully compromised, emphasizing the need for immediate action. This type of supply chain attack, where a legitimate package is subverted, is particularly dangerous because it can affect a wide range of downstream applications and systems.
This vulnerability was identified through ghsa-malware analysis (f96d7c74748e121e50b19198355b3f8f9f8ba84bcfd1731896fcf4b9ebc76370). While no specific exploit campaigns have been publicly reported as of the publication date, the nature of the compromise – malicious code directly injected into a widely used package – suggests a high probability of exploitation. The EPSS score is likely to be high, reflecting the ease of exploitation and the potential for widespread impact. The vulnerability was publicly disclosed on 2025-09-08.
Any Node.js project utilizing the color-string package, particularly those relying on it for color manipulation or formatting in command-line interfaces or web applications, are at risk. Developers using automated dependency management tools (npm, yarn) are especially vulnerable if they haven't implemented robust dependency auditing and security scanning practices. Shared hosting environments where multiple applications share the same Node.js runtime are also at increased risk.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Path• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter color-string.js | Select-Object FullName• generic web:
curl -I https://your-node-app.com/ | grep -i 'color-string'disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.09% (25% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-59142 is to immediately upgrade to version 2.1.2 or higher of the color-string package. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily removing the package from your project. Crucially, regardless of whether you upgrade or remove the package, you must rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability, as the malicious code is embedded within the package itself. Monitor your Node.js dependency tree for any signs of compromise and regularly audit your dependencies.
Actualice la dependencia color-string a la versión 2.1.2 o superior. Si utilizó la versión 2.1.1 en un entorno de navegador, reconstruya sus paquetes para eliminar el malware. Verifique la integridad de sus billeteras de criptomonedas y transacciones recientes.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-59142 is a HIGH severity malware injection vulnerability affecting the color-string Node.js package. Malicious code was added, potentially granting attackers full control of affected systems.
You are affected if you are using color-string version 2.1.1 or earlier. Any system with this package installed should be considered fully compromised.
Upgrade to version 2.1.2 or higher. If upgrading is not possible, remove the package and immediately rotate all secrets stored on the affected system.
While no active campaigns have been publicly reported, the nature of the compromise suggests a high probability of exploitation.
Refer to the official advisory on the npm website or the color-string project's repository for the latest information and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।