CNNVD-202509-1145 Information
CNNVD ID
CNNVD-202509-1145
Related CVE
- CNNVD Published: 2025-09-09
Description (Chinese)
DuckDB是DuckDB开源的一个进程内 SQL OLAP 数据库管理系统。 DuckDB存在安全漏洞,该漏洞源于npm包被植入恶意代码,可能干扰加密货币交易。以下产品和版本受到影响:DuckDB node-api 1.3.3版本、node-bindings 1.3.3版本、duckdb 1.3.3版本和duckdb-wasm 1.29.2版本。
Description (English)
DuckDB is a SQL OLAP database management system within a DuckDB open source process. DuckDB has a security loophole, resulting from the implantation of the npm package into a malicious code, which could interfere with encrypted currency transactions. The following products and versions were affected: DuckDB Node-api 1.3.3, Node-bindings 1.3.3, Duckb 1.3.3 and Duckdb-wasm 1.29.2.
Hazard Level
Low
Vulnerability Type
其他
Affected Vendor
DuckDB
Published
2025-09-09
Last Modified
2026-02-24
References
https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised https://github.com/duckdb/duckdb-node/releases/tag/v1.3.4 https://access.redhat.com/security/cve/cve-2025-59037
Patch
https://duckdb.org/#quickinstall
Share on: