npm package
debug
pkg:npm/debug
3 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-4x49-vf9v-38pxdebug@4.4.2 contains malware after npm account takeoverSep 15, 2025
- MAL-2025-46974Malicious code in debug (npm)Sep 8, 2025
- GHSA-8mgj-vmr8-frr6Duplicate Advisory: Malware in debugSep 8, 2025
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59144 | Hig | — | >= 4.4.2, < 4.4.3 | 4.4.3 | Sep 15, 2025 | debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cr | |
| CVE-2017-20165 | — | >= 3.0.0, < 3.1.0 | 3.1.0 | Jan 9, 2023 | A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to addr | ||
| CVE-2017-16137 | Med | 5.3 | < 2.6.9 | 2.6.9 | Jun 7, 2018 | The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue. |
- affected >= 4.4.2, < 4.4.3fixed 4.4.3
debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cr
- CVE-2017-20165Jan 9, 2023affected >= 3.0.0, < 3.1.0fixed 3.1.0
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to addr
- affected < 2.6.9fixed 2.6.9
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.