CVE-2025-59037
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-11

Assigner: GitHub, Inc.

Description
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/[email protected]`, `@duckdb/[email protected]`, `[email protected]`, and `@duckdb/[email protected]` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-11
Generated
2026-05-07
AI Q&A
2025-09-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59037
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
duckdb node-api 1.3.4
duckdb duckdb-wasm 1.30.0
duckdb node-bindings 1.3.4
duckdb duckdb 1.3.4
duckdb duckdb 1.3.3
duckdb duckdb-wasm 1.29.2
duckdb node-api 1.3.3
duckdb duckdb 1.30.0
duckdb node-bindings 1.3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-59037 is a supply chain attack where the DuckDB Node.js packages on npm were compromised by an attacker who published malicious versions containing code designed to interfere with cryptocurrency transactions. The attacker used a phishing campaign to gain access to the maintainer's npm account and published malicious package versions that silently intercept and manipulate Ethereum wallet interactions in users' browsers, redirecting funds to attacker-controlled addresses without user notification. [1, 2]


How can this vulnerability impact me? :

If you use the compromised DuckDB Node.js packages (versions 1.3.3 and 1.29.2), the malicious code can silently intercept your Ethereum wallet transactions in your browser, rewrite payment destinations, and redirect your cryptocurrency funds to attacker-controlled addresses without your knowledge, resulting in theft of your crypto assets. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your project uses the compromised DuckDB Node.js package versions: @duckdb/[email protected], @duckdb/[email protected], [email protected], or @duckdb/[email protected]. You can run commands like `npm list @duckdb/node-api` or `npm list duckdb` to verify installed versions. Additionally, tools like Aikido SafeChain are recommended to detect and prevent supply chain compromises involving malicious npm packages. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediately upgrade any affected DuckDB Node.js packages to safe versions: 1.3.4 or higher for Node packages and 1.30.0 or higher for wasm packages. Alternatively, downgrade to versions 1.3.2 or 1.29.1 as a temporary workaround. Also, ensure that any compromised credentials or tokens are rotated, and review your security practices to prevent phishing attacks similar to the one that led to this compromise. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart