High severityNVD Advisory· Published Sep 9, 2025· Updated Apr 15, 2026

CVE-2025-59038

Description

Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fixes the issue. As a workaround, it is also possible to downgrade to 10.9.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
prebid.jsnpm	>= 10.9.2, < 10.10.0	10.10.0

Affected products

Naturalintelligence/Prebidinferred
Range: = 10.9.2
Package: https://npmjs.com/package/prebid

Patches

72c7f184028f

Fix timeout tracking (#13798)

https://github.com/prebid/Prebid.jsSebRobertSep 3, 2025via ghsa

commit

2 files changed · +52 −11

modules/beopBidAdapter.js+12 −10 modified

@@ -114,19 +114,21 @@ export const spec = {
     return [];
   },
   onTimeout: function(timeoutData) {
-    if (timeoutData === null || typeof timeoutData === 'undefined' || Object.keys(timeoutData).length === 0) {
+    if (!Array.isArray(timeoutData) || timeoutData.length === 0) {
       return;
     }
 
-    const trackingParams = buildTrackingParams(timeoutData, 'timeout', timeoutData.timeout);
+    timeoutData.forEach((timeout) => {
+      const trackingParams = buildTrackingParams(timeout, 'timeout', timeout.timeout);
 
-    logWarn(BIDDER_CODE + ': timed out request');
-    triggerPixel(buildUrl({
-      protocol: 'https',
-      hostname: 't.collectiveaudience.co',
-      pathname: '/bid',
-      search: trackingParams
-    }));
+      logWarn(BIDDER_CODE + ': timed out request for adUnitCode ' + timeout.adUnitCode);
+      triggerPixel(buildUrl({
+        protocol: 'https',
+        hostname: 't.collectiveaudience.co',
+        pathname: '/bid',
+        search: trackingParams
+      }));
+    });
   },
   onBidWon: function(bid) {
     if (bid === null || typeof bid === 'undefined' || Object.keys(bid).length === 0) {
@@ -174,7 +176,7 @@ export const spec = {
 }
 
 function buildTrackingParams(data, info, value) {
-  const params = Array.isArray(data.params) ? data.params[0] : data.params;
+  const params = Array.isArray(data.params) ? data.params[0] : data.params || {};
   const pageUrl = getPageUrl(null, window);
   return {
     pid: params.accountId ?? (data.ad?.match(/account: “([a-f\d]{24})“/)?.[1] ?? ''),

test/spec/modules/beopBidAdapter_spec.js+40 −1 modified

@@ -236,15 +236,54 @@ describe('BeOp Bid Adapter tests', () => {
     it('should call triggerPixel utils function when timed out is filled', function () {
       spec.onTimeout({});
       spec.onTimeout();
+      spec.onTimeout(null);
+      spec.onTimeout([]);
       expect(triggerPixelStub.getCall(0)).to.be.null;
-      spec.onTimeout({params: {accountId: '5a8af500c9e77c00017e4cad'}, timeout: 2000});
+      spec.onTimeout([{
+        bidder: 'beop',
+        bidId: 'abc123',
+        params: { accountId: '5a8af500c9e77c00017e4cad' },
+        adUnitCode: 'div-1',
+        timeout: 2000,
+        auctionId: 'some-auction-id'
+      }]);
       expect(triggerPixelStub.getCall(0)).to.not.be.null;
       expect(triggerPixelStub.getCall(0).args[0]).to.exist.and.to.include('https://t.collectiveaudience.co');
       expect(triggerPixelStub.getCall(0).args[0]).to.include('se_ca=bid');
       expect(triggerPixelStub.getCall(0).args[0]).to.include('se_ac=timeout');
       expect(triggerPixelStub.getCall(0).args[0]).to.include('pid=5a8af500c9e77c00017e4cad');
     });
 
+    it('should call triggerPixel for each entry in the timeout array', function () {
+      const timeoutData = [
+        {
+          bidder: 'beop',
+          bidId: 'abc123',
+          params: { accountId: '5a8af500c9e77c00017e4cad' },
+          adUnitCode: 'div-1',
+          timeout: 3000,
+          auctionId: 'auction-1'
+        },
+        {
+          bidder: 'beop',
+          bidId: 'def456',
+          params: { accountId: '5a8af500c9e77c00017e4cad' },
+          adUnitCode: 'div-2',
+          timeout: 3000,
+          auctionId: 'auction-2'
+        }
+      ];
+
+      spec.onTimeout(timeoutData);
+
+      expect(triggerPixelStub.callCount).to.equal(2);
+      const firstCall = triggerPixelStub.getCall(0).args[0];
+      const secondCall = triggerPixelStub.getCall(1).args[0];
+
+      expect(firstCall).to.include('se_ac=timeout');
+      expect(firstCall).to.include('bid=abc123');
+      expect(secondCall).to.include('bid=def456');
+    });
     it('should call triggerPixel utils function on bid won', function () {
       spec.onBidWon({});
       spec.onBidWon();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000