Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities found for duckdb-node by duckdb

    CVE-2025-59037 (GCVE-0-2025-59037)

    Vulnerability from cvelistv5 – Published: 2025-09-09 20:26 – Updated: 2025-09-10 14:28
    VLAI
    Title
    DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
    Summary
    DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/node-api@1.3.3`, `@duckdb/node-bindings@1.3.3`, `duckdb@1.3.3`, and `@duckdb/duckdb-wasm@1.29.2` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1.
    Severity
    8.6 (High)
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-506 - Embedded Malicious Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    duckdb duckdb-node Affected: = 1.3.3
    Affected: = 1.29.2
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59037",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T14:04:02.469534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T14:28:58.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "duckdb-node",
          "vendor": "duckdb",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.3.3"
            },
            {
              "status": "affected",
              "version": "= 1.29.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB\u0027s packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/node-api@1.3.3`, `@duckdb/node-bindings@1.3.3`, `duckdb@1.3.3`, and `@duckdb/duckdb-wasm@1.29.2` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506: Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T20:26:57.986Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c"
        },
        {
          "name": "https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4"
        },
        {
          "name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
        }
      ],
      "source": {
        "advisory": "GHSA-w62p-hx95-gf2c",
        "discovery": "UNKNOWN"
      },
      "title": "DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59037",
    "datePublished": "2025-09-09T20:26:57.986Z",
    "dateReserved": "2025-09-08T16:19:26.171Z",
    "dateUpdated": "2025-09-10T14:28:58.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

    CVE-2025-59037 (GCVE-0-2025-59037)

    Vulnerability from nvd – Published: 2025-09-09 20:26 – Updated: 2025-09-10 14:28
    VLAI
    Title
    DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
    Summary
    DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/node-api@1.3.3`, `@duckdb/node-bindings@1.3.3`, `duckdb@1.3.3`, and `@duckdb/duckdb-wasm@1.29.2` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1.
    Severity
    8.6 (High)
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-506 - Embedded Malicious Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    duckdb duckdb-node Affected: = 1.3.3
    Affected: = 1.29.2
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59037",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T14:04:02.469534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T14:28:58.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "duckdb-node",
          "vendor": "duckdb",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.3.3"
            },
            {
              "status": "affected",
              "version": "= 1.29.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB\u0027s packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/node-api@1.3.3`, `@duckdb/node-bindings@1.3.3`, `duckdb@1.3.3`, and `@duckdb/duckdb-wasm@1.29.2` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506: Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T20:26:57.986Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c"
        },
        {
          "name": "https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4"
        },
        {
          "name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
        }
      ],
      "source": {
        "advisory": "GHSA-w62p-hx95-gf2c",
        "discovery": "UNKNOWN"
      },
      "title": "DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59037",
    "datePublished": "2025-09-09T20:26:57.986Z",
    "dateReserved": "2025-09-08T16:19:26.171Z",
    "dateUpdated": "2025-09-10T14:28:58.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}