CVE-2025-59039
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-11

Assigner: GitHub, Inc.

Description
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware. This includes the extremely popular jsdelivr hosting of this file. The maintainers of PUC unpublished version 1.17.3. Users should see Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 as soon as possible to avoid similar attacks in the future.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-11
Generated
2026-05-07
AI Q&A
2025-09-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59039
EUVD
EUVD-2025-27597
Affected Vendors & Products
Showing 23 associated CPEs
Vendor Product Version / Range
ansi-styles ansi-styles 6.2.2
color-convert color-convert 3.1.1
supports-color supports-color 10.2.1
prebid prebid-universal-creative *
color-string color-string 2.1.1
proto-tinker-wc proto-tinker-wc 0.1.87
wrap-ansi wrap-ansi 9.0.1
ansi-regex ansi-regex 6.2.1
strip-ansi strip-ansi 7.1.1
color color 5.0.1
supports-hyperlinks supports-hyperlinks 4.1.1
prebid prebid-universal-creative 1.17.3
prebid prebid.js 10.9.2
is-arrayish is-arrayish 0.3.3
duckdb duckdb 1.3.3
prebid prebid 10.9.2
simple-swizzle simple-swizzle 0.2.3
error-ex error-ex 1.3.3
chalk chalk 5.6.1
has-ansi has-ansi 6.0.1
debug debug 4.4.2
color-name color-name 2.0.1
slice-ansi slice-ansi 7.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

Prebid Universal Creative (PUC) version 1.17.3 and the latest versions were briefly affected by crypto-related malware. This malware was introduced through the JavaScript API used to render multiple formats, including the popular jsdelivr hosting of this file. The maintainers have unpublished version 1.17.3 to mitigate the issue, and users are advised to move away from the deprecated workflow or point to version 1.17.2 to avoid similar attacks.


How can this vulnerability impact me? :

This vulnerability can lead to the execution of crypto-related malware through the compromised JavaScript API, potentially resulting in unauthorized cryptomining or other malicious activities on affected systems. This can degrade system performance, increase resource usage, and expose users to security risks.


What immediate steps should I take to mitigate this vulnerability?

Users should transition from Prebid Universal Creative (PUC) version 1.17.3 or the 'latest' version to version 1.17.2 as soon as possible. Additionally, users should follow the Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using PUC or pointing to a dynamic version of it to avoid similar attacks in the future.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart