CVE-2025-59143 affects the color Node.js package, posing a critical risk of full system compromise. The vulnerability allows for malicious code execution, potentially granting attackers complete control over affected systems. Versions of the package prior to 5.0.2 are vulnerable, and immediate action is required to mitigate the risk. A fix is available in version 5.0.2.
影響と攻撃シナリオ翻訳中…
The impact of CVE-2025-59143 is severe. Upon installation, the malicious package grants attackers complete control over the affected system. This includes access to all stored secrets, keys, and sensitive data. The description explicitly states that simply removing the package is not sufficient, as the attacker may have already established a persistent presence. This vulnerability shares characteristics with supply chain attacks where malicious packages are injected into legitimate projects, leading to widespread compromise. The potential blast radius is significant, impacting any system running a vulnerable version of the color package.
悪用の状況翻訳中…
This vulnerability was identified through ghsa-malware analysis (3507ec02d0eb24c87e1f7621140bb5e6a4a343308e7ee8af79ef7f84617f8577). While no specific exploit campaigns have been publicly linked to this CVE as of the publication date, the high CVSS score and the nature of the compromise (full system control) indicate a high probability of exploitation. It is likely to be added to the CISA KEV catalog given the severity and potential impact. Public proof-of-concept code is not currently available, but the potential for widespread compromise warrants immediate attention.
リスク対象者翻訳中…
Developers and organizations using the color Node.js package in their projects are at risk. This includes those deploying Node.js applications in production environments, particularly those handling sensitive data or secrets. Shared hosting environments where multiple users may have access to the same Node.js installation are also at increased risk.
検出手順翻訳中…
• nodejs / supply-chain:
npm list colorThis command will list the installed version of the color package. If the version is less than or equal to 5.0.1, the system is vulnerable.
• nodejs / supply-chain:
npm audit | grep colorThis command will check for known vulnerabilities in your project's dependencies, including the color package.
• nodejs / supply-chain:
npm audit fixThis command attempts to automatically fix vulnerabilities in your project's dependencies. However, manual verification is still required after running this command.
攻撃タイムライン
- Disclosure
disclosure
脅威インテリジェンス
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
影響を受けるソフトウェア
パッケージ情報
- 最終更新
- 5.0.36ヶ月前
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2025-59143 is to immediately upgrade the color package to version 5.0.2 or later. Due to the severity of the compromise, simply upgrading may not be enough. After upgrading, it is critical to rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. Consider using a software bill of materials (SBOM) tool to identify all dependencies and potential vulnerabilities within your Node.js projects. Implement robust package verification processes to prevent the installation of malicious packages in the future.
修正方法翻訳中…
Actualice a la versión 5.0.2 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes (npm o yarn) y reconstruya todos los bundles del navegador desde cero. Si utiliza un registro privado o un espejo de registro, purgue las versiones afectadas de cualquier caché.
CVEセキュリティニュースレター
脆弱性分析と重要アラートをメールでお届けします。
よくある質問翻訳中…
What is CVE-2025-59143 — Malware in color Node.js Package?
CVE-2025-59143 is a HIGH severity vulnerability affecting the color Node.js package where installation leads to full system compromise, requiring immediate action.
Am I affected by CVE-2025-59143 in color Node.js Package?
You are affected if you are using the color Node.js package version 5.0.1 or earlier. Check your project dependencies immediately.
How do I fix CVE-2025-59143 in color Node.js Package?
Upgrade the color package to version 5.0.2 or later. Rotate all secrets and keys stored on the affected system from a clean machine.
Is CVE-2025-59143 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the high severity and potential for compromise suggest a high probability of exploitation.
Where can I find the official color package advisory for CVE-2025-59143?
Refer to the official Node Package Manager (npm) advisory and the ghsa-malware report for detailed information: [https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330](https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330)