debug
Corrigido em
4.4.3
4.4.3
CVE-2025-59144 represents a critical security issue stemming from a malicious compromise of the Nodejs debug package. This compromise resulted in the injection of malicious code, potentially granting attackers complete control over affected systems. The vulnerability impacts versions of Nodejs debug up to and including 4.4.2, with a fix released in version 4.4.3.
The impact of CVE-2025-59144 is severe. The malicious code injected into the package allows an attacker to gain full control of the system where the package is installed and running. This includes the ability to access and exfiltrate sensitive data, install additional malware, and potentially pivot to other systems on the network. The description explicitly states that all secrets and keys stored on the compromised computer should be rotated immediately from a different, trusted machine, highlighting the potential for widespread data breaches and credential theft. The scope of the compromise extends beyond the immediate application using the package; the entire system is considered fully compromised.
This vulnerability was identified through a ghsa-malware report, indicating a supply chain attack. The EPSS score is likely high, reflecting the potential for widespread exploitation given the nature of compromised packages. Public proof-of-concept exploits are likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on September 8, 2025.
Organizations and developers using the Nodejs debug package in their projects are at risk. This includes those deploying Node.js applications in production environments, as well as development teams relying on the package for debugging purposes. Shared hosting environments where multiple users share the same server are particularly vulnerable, as a compromise of the package could affect all users on the server.
• nodejs / supply-chain:
npm ls debug• nodejs / supply-chain:
npm audit debug• nodejs / supply-chain:
find /usr/local/lib/node_modules/debug -type f -exec grep -i 'malicious code' {} + disclosure
Status do Exploit
EPSS
0.09% (percentil 25%)
CISA SSVC
The primary mitigation for CVE-2025-59144 is to immediately upgrade to Nodejs debug version 4.4.3 or higher. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider removing the package entirely. However, given the extent of the compromise, simply removing the package is not sufficient. A thorough forensic investigation of the affected system is crucial to identify and remove any additional malicious components that may have been installed. After upgrading, confirm the integrity of the system by scanning for suspicious processes, files, and registry entries. Consider using a reputable anti-malware solution to perform a full system scan.
Actualice a la versión 4.4.3 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes y reconstruya cualquier paquete del navegador desde cero. Si opera registros privados o espejos de registro, purgue las versiones afectadas de cualquier caché.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-59144 is a HIGH severity vulnerability where malicious code was injected into the Nodejs debug package, potentially granting attackers full control over affected systems.
You are affected if you are using Nodejs debug version 4.4.2 or earlier. Check your installed version using npm ls debug.
Upgrade to Nodejs debug version 4.4.3 or higher. If upgrading is not possible, remove the package and rotate all secrets stored on the affected system.
While active exploitation is not yet confirmed, the nature of the vulnerability (supply chain compromise) suggests a high probability of exploitation.
Refer to the Nodejs security advisories and the ghsa-malware report for details: [https://github.com/advisories/ghsa-malware](https://github.com/advisories/ghsa-malware)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.