Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-p8y5-zfmu-duhg
Summary
color-name@2.0.1 contains malware after npm account takeover
On 8 September 2025, an npm publishing account for `color-name` was taken over after a phishing attack. Version `2.0.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `<script>` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.
Aliases
0
alias CVE-2025-59145
1
alias GHSA-5fvm-p68v-5wmh
Fixed_packages
0
url pkg:npm/color-name@2.0.2
purl pkg:npm/color-name@2.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/color-name@2.0.2
Affected_packages
0
url pkg:npm/color-name@2.0.1
purl pkg:npm/color-name@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a3p7-p8e5-auhj
1
vulnerability VCID-p8y5-zfmu-duhg
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/color-name@2.0.1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59145.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59145.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59145
reference_id
reference_type
scores
0
value 0.00105
scoring_system epss
scoring_elements 0.28248
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59145
2
reference_url https://github.com/colorjs/color-name
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/colorjs/color-name
3
reference_url https://github.com/debug-js/debug/issues/1005
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/
url https://github.com/debug-js/debug/issues/1005
4
reference_url https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/
url https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
5
reference_url https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/
url https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
6
reference_url https://www.ox.security/blog/npm-packages-compromised
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/
url https://www.ox.security/blog/npm-packages-compromised
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2395535
reference_id 2395535
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2395535
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59145
reference_id CVE-2025-59145
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59145
9
reference_url https://github.com/advisories/GHSA-5fvm-p68v-5wmh
reference_id GHSA-5fvm-p68v-5wmh
reference_type
scores
url https://github.com/advisories/GHSA-5fvm-p68v-5wmh
10
reference_url https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh
reference_id GHSA-5fvm-p68v-5wmh
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/
url https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh
Weaknesses
0
cwe_id 506
name Embedded Malicious Code
description The product contains code that appears to be malicious in nature.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity0.0
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-p8y5-zfmu-duhg