Embedded malicious code (backdoor) in color-string - CVE-2025-59142
Published: April 24, 2026
Vulnerability identifier: #VU127493
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-59142
CWE-ID: CWE-506
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Qix
Affected software:
color-string
color-string
Detailed vulnerability description
The vulnerability allows a remote attacker to manipulate cryptocurrency transactions in browser environments.
The vulnerability exists due to embedded malicious code in the color-string package when the package is executed in a browser context. A remote attacker can publish and distribute a compromised package version to manipulate cryptocurrency transactions in browser environments.
Local environments, server environments, and command line applications are not affected. The malware appears to target cryptocurrency wallets and transactions such as MetaMask.
How to mitigate CVE-2025-59142
Install security update from vendor's website.