Vulnerability in Duckdb Duckdb-node
CVE-2025-59037
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of fou…
EPSS: 0.003 (26.8th percentile) — read the EPSS interpretation.
Affected products
- Duckdb Duckdb-node — versions = 1.3.3, = 1.29.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-59037?
- CVE-2025-59037 is a vulnerability in Duckdb Duckdb-node, classified under CWE-506. Published 2025-09-09.
- Is CVE-2025-59037 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.