CVE-2025-59144
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ansi-styles | ansi-styles | 6.2.2 |
| proto-tinker-wc | proto-tinker-wc | 1.8.7 |
| color-convert | color-convert | 3.1.1 |
| supports-color | supports-color | 10.2.1 |
| color-string | color-string | 2.1.1 |
| wrap-ansi | wrap-ansi | 9.0.1 |
| chalk-template | chalk-template | 1.1.1 |
| ansi-regex | ansi-regex | 6.2.1 |
| strip-ansi | strip-ansi | 7.1.1 |
| supports-hyperlinks | supports-hyperlinks | 4.1.1 |
| is-arrayish | is-arrayish | 0.3.3 |
| debug | debug | 4.4.3 |
| error-ex | error-ex | 1.3.3 |
| simple-swizzle | simple-swizzle | 0.2.3 |
| chalk | chalk | 5.6.1 |
| has-ansi | has-ansi | 6.0.1 |
| debug | debug | 4.4.2 |
| color-name | color-name | 2.0.1 |
| slice-ansi | slice-ansi | 7.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the npm package 'debug' version 4.4.2, whose publishing account was compromised via a phishing attack. The attacker published a malicious version that included malware targeting cryptocurrency transactions in browser environments. The malware attempts to redirect cryptocurrency transactions, such as those using wallets like MetaMask, to the attacker's addresses. Only browser contexts are affected; local, server, and command-line environments are not impacted. The compromised package was removed from npm, and patched versions were released to fix the issue. [1]
How can this vulnerability impact me? :
If you use the 'debug' package in a browser environment, this vulnerability can lead to your cryptocurrency transactions being redirected to an attacker's wallet, resulting in financial loss. Local, server, or command-line uses are not affected. To mitigate the risk, users must upgrade to the fixed version, clear caches, delete node_modules, and rebuild browser bundles to remove the malicious code. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your project uses the debug package version 4.4.2 in a browser context, such as direct <script> inclusions or bundles created with tools like Babel, Rollup, Vite, or Next.js. Since the malware targets cryptocurrency transactions in browser environments, monitoring for suspicious redirection of cryptocurrency transactions or unusual network requests to unknown addresses related to wallets like MetaMask may help detect infection. Specific commands are not provided in the resources, but you can check your package.json and lock files for [email protected], and inspect your browser bundles for the presence of this version. Additionally, monitoring network traffic for unexpected redirects in browser environments could be useful. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the debug package to version 4.4.3 or later, completely removing your node_modules directory, clearing your package manager's global cache, and rebuilding any browser bundles from scratch. If you operate private registries or mirrors, you should purge the compromised version 4.4.2 from any caches. These steps ensure that the malicious payload is removed and that your environment uses the safe patched version. [1]