Wiz
Vulnerability DatabaseCVE-2025-59039

CVE-2025-59039
JavaScript vulnerability analysis and mitigation

Overview

CVE-2025-59039 affects Prebid Universal Creative (PUC), a JavaScript API for rendering multiple formats. The vulnerability was discovered and disclosed on September 9, 2025, impacting version 1.17.3 and the 'latest' version of PUC. The issue involved crypto-related malware that was briefly present in these versions, including the widely-used jsdelivr hosting of the file (GitHub Advisory).

Technical details

The vulnerability was introduced through a supply chain attack where malicious actors gained control of the npm package publishing credentials. The compromised package contained cryptocurrency-stealing malware. The vulnerability has been assigned a CVSS 4.0 Base Score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-506 (Embedded Malicious Code) (GitHub Advisory, Sonatype Blog).

Impact

The impact of this vulnerability is severe due to PUC's widespread use through jsdelivr hosting. The malicious code was specifically designed for cryptocurrency theft, putting downstream applications and their users at immediate risk. The compromised package could potentially lead to theft of API keys, tokens, and sensitive credentials, establishment of persistent backdoors, and broader system infiltration (Sonatype Blog).

Mitigation and workarounds

The maintainers have unpublished version 1.17.3 from npm. Users are advised to transition to version 1.17.2 immediately to avoid similar attacks. Additionally, users should refer to Prebid.js 9 release notes for guidance on moving away from the deprecated workflow of using PUC or pointing to a dynamic version (GitHub Advisory).

Community reactions

The security community has recognized this as part of a broader pattern of sophisticated supply chain attacks targeting popular open source packages. Security researchers at Sonatype have identified this as part of a larger campaign affecting multiple npm packages, highlighting the increasing trend of attackers targeting under-resourced but widely-used open source projects (Sonatype Blog).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-59145HIGH8.8
  • JavaScriptJavaScript
  • color-name
NoYesSep 15, 2025
CVE-2025-59331HIGH8.8
  • JavaScriptJavaScript
  • is-arrayish
NoYesSep 15, 2025
CVE-2025-59330HIGH8.8
  • JavaScriptJavaScript
  • error-ex
NoYesSep 15, 2025
CVE-2025-59162HIGH8.8
  • JavaScriptJavaScript
  • color-convert
NoYesSep 15, 2025
CVE-2025-9862MEDIUM6.1
  • JavaScriptJavaScript
  • ghost
NoYesSep 15, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo