प्लेटफ़ॉर्म
nodejs
घटक
color-convert
में ठीक किया गया
3.1.2
3.1.2
CVE-2025-59162 represents a critical security issue involving the color-convert Node.js package. The package was maliciously compromised, with attackers injecting malware directly into the codebase. This poses a significant threat to any system utilizing affected versions (≤3.1.1), as it grants attackers full control. A fix is available in version 3.1.2.
The impact of CVE-2025-59162 is severe. Because the package was directly compromised, any system running an affected version is considered fully compromised. This means an attacker can execute arbitrary code with the privileges of the application using the color-convert package. All secrets and keys stored on the compromised system are at risk of exfiltration. The attacker could establish persistence, move laterally within the network, and potentially compromise other systems. The description explicitly states that removing the package doesn't guarantee removal of all malicious software, highlighting the depth of the compromise.
This vulnerability was identified through the ghsa-malware program, indicating a deliberate supply chain attack. The EPSS score is likely high, reflecting the severe impact and potential for widespread compromise. Public proof-of-concept code is not yet available, but the nature of the compromise suggests active exploitation is possible. The vulnerability was published on 2025-09-08.
Any Node.js project utilizing the color-convert package, particularly those deployed in production environments or handling sensitive data, are at significant risk. Projects relying on automated dependency updates may be vulnerable if they haven't recently updated their dependencies. Shared hosting environments where users have limited control over installed packages are also particularly vulnerable.
• nodejs / supply-chain:
npm list color-convert• nodejs / supply-chain:
npm audit color-convert• generic web:
Check package.json files for color-convert dependencies and versions less than or equal to 3.1.1.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.09% (25% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-59162 is to immediately upgrade the color-convert package to version 3.1.2 or higher. Given the severity, a rollback is not recommended; attempting to revert to a previous version will simply reintroduce the vulnerability. Consider using a software composition analysis (SCA) tool to identify other potentially compromised dependencies within your project. Thoroughly review system logs for any suspicious activity following the compromise. Rotate all secrets and keys stored on affected systems from a clean, uncompromised machine. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level compromise.
Actualice a la versión 3.1.2 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes y reconstruya cualquier paquete del navegador desde cero. Si opera registros privados o espejos de registro, purgue las versiones afectadas de cualquier caché.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-59162 is a HIGH severity vulnerability where the color-convert Node.js package was compromised, resulting in the injection of malicious code. This allows attackers to gain full control of affected systems.
You are affected if your project uses color-convert version 3.1.1 or earlier. Immediately check your dependencies and upgrade to mitigate the risk.
Upgrade the color-convert package to version 3.1.2 or higher using npm or yarn. Also, rotate all secrets and keys stored on affected systems.
While no public exploits are currently available, the nature of the compromise suggests active exploitation is possible. Monitor your systems closely for suspicious activity.
Refer to the ghsa-malware report and related security advisories for more information. Check the npm registry for updates and announcements.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।