CVE-2025-59143 affects the color Node.js package, posing a critical risk of full system compromise. The vulnerability allows for malicious code execution, potentially granting attackers complete control over affected systems. Versions of the package prior to 5.0.2 are vulnerable, and immediate action is required to mitigate the risk. A fix is available in version 5.0.2.
影响与攻击场景翻译中…
The impact of CVE-2025-59143 is severe. Upon installation, the malicious package grants attackers complete control over the affected system. This includes access to all stored secrets, keys, and sensitive data. The description explicitly states that simply removing the package is not sufficient, as the attacker may have already established a persistent presence. This vulnerability shares characteristics with supply chain attacks where malicious packages are injected into legitimate projects, leading to widespread compromise. The potential blast radius is significant, impacting any system running a vulnerable version of the color package.
利用背景翻译中…
This vulnerability was identified through ghsa-malware analysis (3507ec02d0eb24c87e1f7621140bb5e6a4a343308e7ee8af79ef7f84617f8577). While no specific exploit campaigns have been publicly linked to this CVE as of the publication date, the high CVSS score and the nature of the compromise (full system control) indicate a high probability of exploitation. It is likely to be added to the CISA KEV catalog given the severity and potential impact. Public proof-of-concept code is not currently available, but the potential for widespread compromise warrants immediate attention.
哪些人处于风险中翻译中…
Developers and organizations using the color Node.js package in their projects are at risk. This includes those deploying Node.js applications in production environments, particularly those handling sensitive data or secrets. Shared hosting environments where multiple users may have access to the same Node.js installation are also at increased risk.
检测步骤翻译中…
• nodejs / supply-chain:
npm list colorThis command will list the installed version of the color package. If the version is less than or equal to 5.0.1, the system is vulnerable.
• nodejs / supply-chain:
npm audit | grep colorThis command will check for known vulnerabilities in your project's dependencies, including the color package.
• nodejs / supply-chain:
npm audit fixThis command attempts to automatically fix vulnerabilities in your project's dependencies. However, manual verification is still required after running this command.
攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.09% (25% 百分位)
CISA SSVC
受影响的软件
软件包信息
- 最后更新
- 5.0.36个月前
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-59143 is to immediately upgrade the color package to version 5.0.2 or later. Due to the severity of the compromise, simply upgrading may not be enough. After upgrading, it is critical to rotate all secrets and keys stored on the affected system from a clean, uncompromised machine. Consider using a software bill of materials (SBOM) tool to identify all dependencies and potential vulnerabilities within your Node.js projects. Implement robust package verification processes to prevent the installation of malicious packages in the future.
修复方法翻译中…
Actualice a la versión 5.0.2 o superior. Elimine completamente el directorio node_modules, limpie la caché global de su administrador de paquetes (npm o yarn) y reconstruya todos los bundles del navegador desde cero. Si utiliza un registro privado o un espejo de registro, purgue las versiones afectadas de cualquier caché.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2025-59143 — Malware in color Node.js Package?
CVE-2025-59143 is a HIGH severity vulnerability affecting the color Node.js package where installation leads to full system compromise, requiring immediate action.
Am I affected by CVE-2025-59143 in color Node.js Package?
You are affected if you are using the color Node.js package version 5.0.1 or earlier. Check your project dependencies immediately.
How do I fix CVE-2025-59143 in color Node.js Package?
Upgrade the color package to version 5.0.2 or later. Rotate all secrets and keys stored on the affected system from a clean machine.
Is CVE-2025-59143 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the high severity and potential for compromise suggest a high probability of exploitation.
Where can I find the official color package advisory for CVE-2025-59143?
Refer to the official Node Package Manager (npm) advisory and the ghsa-malware report for detailed information: [https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330](https://ghsa.security/ghsa/3507ec02d0eb24c87e1f7621140bb5e6a4a34330)