Malware in DuckDB Node.js Distribution Impacts SQL Database Management System
CVE-2025-59037

8.6HIGH

Key Information:

Vendor: Duckdb
Status: Duckdb-node
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-59037?

On September 8, 2025, the DuckDB distribution for Node.js on npm was compromised, allowing malware to be introduced into four specific packages. This malicious code aimed to disrupt cryptocoin transactions, although the affected packages had not been downloaded before being deprecated. The packages involved were identified as @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected]. In response, DuckDB deprecated the compromised versions and worked with npm to remove them, subsequently releasing updated versions 1.3.4 and 1.30.0. Users are encouraged to upgrade to the latest versions to ensure their systems are secure, or alternatively, can downgrade to versions 1.3.2 or 1.29.1 as a temporary measure.

Affected Version(s)

duckdb-node = 1.3.3 = 1.3.3

duckdb-node = 1.29.2 = 1.29.2

References

https://github.com/duckdb/duckdb-node/security/advisories...

x_refsource_CONFIRM

https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4

x_refsource_MISC

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Sep 8, 2025

Duckdb

What is CVE-2025-59037?

Affected Version(s)

References

CVSS V4

Timeline