CVE-2025-59142
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| debug | debug | 4.4.2 |
| qix | color-string | 2.1.1 |
| qix | color-string | 2.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59142 is a vulnerability in the npm package color-string where the package's publishing account was taken over via a phishing attack. The attacker published a malicious version 2.1.1 that included malware designed to redirect cryptocurrency transactions to the attacker's addresses, but only within browser environments. This malware targets cryptocurrency wallets like MetaMask and does not affect local, server, or command-line environments. The compromised package was removed from npm on the same day, and a clean patch version 2.1.2 was released to fix the issue. [1]
How can this vulnerability impact me? :
If you use the color-string package in a browser context (such as direct script inclusion or bundling with tools like Babel, Rollup, Vite, Next.js), this vulnerability could redirect your cryptocurrency transactions to an attackerβs wallet, potentially resulting in financial loss. Local, server, or command-line uses of the package are not affected. To mitigate the risk, users should update to version 2.1.2, clear caches, delete node_modules, and rebuild browser bundles. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your project uses color-string version 2.1.1 in a browser context. You can inspect your package.json and package-lock.json or yarn.lock files for [email protected]. Additionally, search your built browser bundles for suspicious code redirecting cryptocurrency transactions. Commands to help detect include: 1) npm list color-string to see installed versions; 2) grep or findstr commands to search for 'color-string' or suspicious redirect code in your bundled files; 3) check your package manager cache for the compromised version. Since the malware only affects browser environments, focus detection on browser bundles rather than server or CLI environments. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade color-string to version 2.1.2 or later; 2) Delete your node_modules directory to remove the compromised package; 3) Clear your package manager's global cache to avoid reinstalling the malicious version; 4) Rebuild all browser bundles from scratch to ensure no compromised code remains; 5) If using private registries or mirrors, purge cached compromised versions to prevent reintroduction. These steps will remove the malicious payload and prevent redirection of cryptocurrency transactions. [1]