Vulnerability in Duckdb Duckdb-node

CVE-2025-59037

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of fou…

EPSS: 0.003 (26.8th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2025-59037?
CVE-2025-59037 is a vulnerability in Duckdb Duckdb-node, classified under CWE-506. Published 2025-09-09.
Is CVE-2025-59037 known to be exploited?
3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.