color-name
Corrigido em
2.0.2
2.0.2
CVE-2025-59145 represents a critical security issue within the color-name Node.js package. This vulnerability involves the malicious injection of code, leading to a potential full system compromise for affected systems. The vulnerability impacts versions of color-name up to and including 2.0.1. A fix is available in version 2.0.2.
The core impact of CVE-2025-59145 is the complete compromise of any system running the affected color-name package. The malicious code allows an attacker to gain full control over the system, potentially exfiltrating sensitive data, installing persistent malware, or using the compromised system as a launchpad for further attacks. The description explicitly states that all secrets and keys stored on the affected computer should be rotated immediately from a different, trusted computer, highlighting the severity of the compromise. This is a supply-chain attack, similar in nature to other package compromise events, where malicious code is inserted into a legitimate package before distribution, impacting a wide range of downstream users.
This vulnerability was identified through ghsa-malware analysis. The public disclosure date is 2025-09-08. Given the nature of the compromise (malware injection), there is a high probability of exploitation. While no specific exploit details are publicly available yet, the potential for widespread impact is significant due to the popularity of Node.js and the use of npm packages. It is likely to be added to the CISA KEV catalog soon.
Node.js developers and organizations who use the color-name package in their projects are at risk. This includes those deploying applications to production environments, as well as development and testing systems. Shared hosting environments that automatically install dependencies are particularly vulnerable.
• nodejs / supply-chain:
npm list color-name --depth=0
# Check for version <= 2.0.1• nodejs / supply-chain:
npm audit color-name
# Look for reported vulnerabilities• generic web:
curl -I https://registry.npmjs.org/color-name
# Check for any unusual response headers or redirectsdisclosure
Status do Exploit
EPSS
0.09% (percentil 25%)
CISA SSVC
The primary mitigation for CVE-2025-59145 is to immediately upgrade the color-name package to version 2.0.2 or later. However, given the nature of the compromise, simply upgrading may not be sufficient. It is strongly recommended to remove the package entirely after upgrading. Due to the potential for persistent malware, a full system re-imaging or forensic analysis is advisable. Rotate all secrets and keys that were stored on the affected system from a clean, trusted machine. Consider implementing stricter dependency scanning and code review processes to prevent future supply-chain attacks. After upgrade and removal, confirm by scanning the system for any unusual processes or network connections.
Actualice el paquete color-name a la versión 2.0.2 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes (npm o yarn) y reconstruya cualquier bundle del navegador desde cero. Si opera registros privados o espejos de registro, purgue las versiones afectadas de cualquier caché.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-59145 is a HIGH severity vulnerability where malicious code was injected into the color-name Node.js package, potentially leading to full system compromise.
Yes, if you are using color-name version 2.0.1 or earlier, you are affected and must take immediate action.
Upgrade to color-name version 2.0.2 or later, remove the package, rotate all secrets, and consider a full system re-imaging.
While no specific exploits are publicly known, the high severity and potential for widespread impact suggest a high probability of exploitation.
Check the npm registry and the color-name project's repository for updates and advisories related to this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.