プラットフォーム
wordpress
コンポーネント
popup-builder
修正版
4.4.2
CVE-2025-9856 identifies a critical security vulnerability in the Chalk package for Node.js. The package was compromised, resulting in the injection of malicious code. This poses a significant threat, potentially leading to full system compromise and data exfiltration. Versions of Chalk up to and including 5.6.1 are affected, and immediate action is required to mitigate the risk.
The primary impact of this vulnerability is complete system compromise. The malicious code injected into the Chalk package grants attackers unauthorized access and control over systems where it is installed. Attackers can steal sensitive data, install additional malware, and potentially pivot to other systems on the network. The description explicitly states that any computer running the compromised package should be considered fully compromised, emphasizing the severity of the situation. This is a supply-chain attack, similar to those seen with SolarWinds, where a trusted component is used to distribute malware widely.
This vulnerability was discovered and publicly disclosed on 2025-09-08. The GHSA identifier (GHSA-2v46-p5h4-248w) highlights the malware nature of the compromise. Public proof-of-concept code is not expected, as the vulnerability lies in the compromised package itself. Active exploitation is highly probable given the widespread use of Node.js and the ease of distributing malicious packages through registries. This is likely to be added to the CISA KEV catalog.
Node.js developers and organizations who rely on the Chalk package are at significant risk. This includes projects using Chalk for console output formatting, particularly those with automated build processes or continuous integration pipelines that automatically install dependencies. Shared hosting environments and systems with lax package management practices are especially vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*chalk*'}• nodejs / supply-chain:
Get-Package -Name Chalk | Select-Object Version• nodejs / supply-chain:
Check package.json files for Chalk versions <= 5.6.1. Use npm ls chalk to list installed versions.
disclosure
エクスプロイト状況
EPSS
0.04% (14% パーセンタイル)
CISA SSVC
CVSS ベクトル
The immediate mitigation is to remove the compromised Chalk package from all affected systems. However, due to the nature of the compromise, simply removing the package is not sufficient. All secrets and keys stored on the affected computer must be rotated immediately from a different, clean computer. Consider reimaging the affected systems to ensure complete removal of any malicious software. There are no configuration workarounds or WAF rules that can prevent this type of supply-chain attack; prevention relies on careful package management and security scanning.
Update to version 4.4.2, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-9856 describes a critical vulnerability where the Chalk package for Node.js was compromised and malicious code was injected. This can lead to full system compromise.
If you are using Chalk version 5.6.1 or earlier, you are affected. Immediately check your project dependencies and remove the package.
Remove the compromised Chalk package and rotate all secrets stored on the affected system. Consider reimaging the system for complete cleanup.
Given the nature of the compromise and widespread use of Node.js, active exploitation is highly probable.
Check the Chalk project's GitHub repository and related security advisories for updates and official guidance.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。