2394259 – (CVE-2025-59037) CVE-2025-59037 duckdb: DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

Bug 2394259 (CVE-2025-59037) - CVE-2025-59037 duckdb: DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

Summary: CVE-2025-59037 duckdb: DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromis...

Keywords:
Status:	NEW
Alias:	CVE-2025-59037
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-09 21:01 UTC by OSIDB Bzimport
Modified:	2025-09-23 20:55 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-09 21:01:31 UTC

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/node-api.3`, `@duckdb/node-bindings.3`, `duckdb.3`, and `@duckdb/duckdb-wasm.2` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1.

Note You need to log in before you can comment on or make changes to this bug.