CVE-2025-59038
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prebid | prebid-universal-creative | 1.17.3 |
| prebid | proto-tinker-wc | 0.1.87 |
| prebid | prebid.js | 10.9.2 |
| prebid | prebid | 10.10.0 |
| prebid | prebid.js | 10.10.0 |
| duckdb | duckdb | 1.3.3 |
| prebid | prebid | 10.9.2 |
| debug | debug | 4.4.2 |
| chalk | chalk | 5.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a malware campaign that briefly compromised NPM users of prebid.js version 10.9.2. The malicious code attempts to redirect cryptocurrency transactions on the affected sites to the attackers' wallet. The issue is fixed in version 10.10.0, and as a workaround, users can downgrade to version 10.9.1.
How can this vulnerability impact me? :
If you use prebid.js version 10.9.2, this vulnerability could result in your site's cryptocurrency transactions being redirected to an attacker's wallet, potentially causing financial loss and compromising transaction integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Prebid.js to version 10.10.0. As a temporary workaround, you can downgrade to version 10.9.1 to avoid the compromised 10.9.2 version.