Malware in DuckDB Node.js Distribution Impacts SQL Database Management System
CVE-2025-59037

8.6HIGH

Key Information:

Vendor

Duckdb

Status
Duckdb-node
Vendor
CVE Published:
9 September 2025

What is CVE-2025-59037?

On September 8, 2025, the DuckDB distribution for Node.js on npm was compromised, allowing malware to be introduced into four specific packages. This malicious code aimed to disrupt cryptocoin transactions, although the affected packages had not been downloaded before being deprecated. The packages involved were identified as @duckdb/node-api@1.3.3, @duckdb/node-bindings@1.3.3, duckdb@1.3.3, and @duckdb/duckdb-wasm@1.29.2. In response, DuckDB deprecated the compromised versions and worked with npm to remove them, subsequently releasing updated versions 1.3.4 and 1.30.0. Users are encouraged to upgrade to the latest versions to ensure their systems are secure, or alternatively, can downgrade to versions 1.3.2 or 1.29.1 as a temporary measure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

duckdb-node = 1.3.3 = 1.3.3

duckdb-node = 1.29.2 = 1.29.2

References

https://github.com/duckdb/duckdb-node/security/advisories...
x_refsource_CONFIRM
https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4
x_refsource_MISC
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.