CVE-2025-59039
Description
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware. This includes the extremely popular jsdelivr hosting of this file. The maintainers of PUC unpublished version 1.17.3. Users should see Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 as soon as possible to avoid similar attacks in the future.
Is your site exposed to CVE-2025-59039?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-59039? +
How do I check if I'm vulnerable to CVE-2025-59039? +
Related Vulnerabilities
xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, …
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm …
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 …
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after …
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing …
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string …