CVE-2025-59038

HIGH

Prebid.js <10.9.2 - Open Redirect

Title source: llm

Description

Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fixes the issue. As a workaround, it is also possible to downgrade to 10.9.1.

References (2)

[Vendor Advisory] https://github.com/prebid/Prebid.js/security/advisories/GHSA-jwq7-6j4r-2f92

[Various Sources] https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

Scores

CVSS v4 8.6

EPSS 0.0007

EPSS Percentile 22.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-506

Status published

Products (2)

npm/prebid.js 10.9.2 - 10.10.0npm

prebid/Prebid.js = 10.9.2

Published Sep 09, 2025

Tracked Since Feb 18, 2026