Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/20037?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20037?format=api", "vulnerability_id": "VCID-p8y5-zfmu-duhg", "summary": "color-name@2.0.1 contains malware after npm account takeover\nOn 8 September 2025, an npm publishing account for `color-name` was taken over after a phishing attack. Version `2.0.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\n\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `<script>` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\n\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.", "aliases": [ { "alias": "CVE-2025-59145" }, { "alias": "GHSA-5fvm-p68v-5wmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68844?format=api", "purl": "pkg:npm/color-name@2.0.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/color-name@2.0.2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68843?format=api", "purl": "pkg:npm/color-name@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3p7-p8e5-auhj" }, { "vulnerability": "VCID-p8y5-zfmu-duhg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/color-name@2.0.1" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59145.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59145.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59145", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28248", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59145" }, { "reference_url": "https://github.com/colorjs/color-name", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/colorjs/color-name" }, { "reference_url": "https://github.com/debug-js/debug/issues/1005", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/" } ], "url": "https://github.com/debug-js/debug/issues/1005" }, { "reference_url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/" } ], "url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack" }, { "reference_url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/" } ], "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "reference_url": "https://www.ox.security/blog/npm-packages-compromised", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/" } ], "url": "https://www.ox.security/blog/npm-packages-compromised" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395535", "reference_id": "2395535", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395535" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59145", "reference_id": "CVE-2025-59145", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59145" }, { "reference_url": "https://github.com/advisories/GHSA-5fvm-p68v-5wmh", "reference_id": "GHSA-5fvm-p68v-5wmh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5fvm-p68v-5wmh" }, { "reference_url": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh", "reference_id": "GHSA-5fvm-p68v-5wmh", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:39:50Z/" } ], "url": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh" } ], "weaknesses": [ { "cwe_id": 506, "name": "Embedded Malicious Code", "description": "The product contains code that appears to be malicious in nature." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "0.0", "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p8y5-zfmu-duhg" }