CVE-2025-59037

HIGH

DuckDB <1.3.3 - Info Disclosure

Title source: llm

Description

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included malicious code to interfere with cryptocoin transactions* According to the npm statistics, nobody has downloaded these packages before they were deprecated. The packages and versions `@duckdb/[email protected]`, `@duckdb/[email protected]`, `[email protected]`, and `@duckdb/[email protected]` were affected. DuckDB immediately deprecated the specific versions, engaged npm support to delete the affected verions, and re-released the node packages with higher version numbers (1.3.4/1.30.0). Users may upgrade to versions 1.3.4, 1.30.0, or a higher version to protect themselves. As a workaround, they may also downgrade to 1.3.2 or 1.29.1.

References (3)

[Vendor Advisory] https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c

[Release Notes] https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4

[Various Sources] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Scores

CVSS v4 8.6

EPSS 0.0006

EPSS Percentile 18.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-506

Status published

Products (6)

duckdb/duckdb-node = 1.29.2

duckdb/duckdb-node = 1.3.3

duckdb/duckdb-wasm 1.29.2 - 1.30.0npm

duckdb/node-api 1.3.3 - 1.3.4-alpha.27npm

duckdb/node-bindings 1.3.3 - 1.3.4-alpha.27npm

npm/duckdb 1.3.3 - 1.3.4npm

Published Sep 09, 2025

Tracked Since Feb 18, 2026