CVE-2025-27144
ghsa-malware vulnerability in v4 (Go)
What is CVE-2025-27144 About?
This is a ghsa-malware vulnerability representing a full compromise of any system with the package installed, attributed to the Shai-Hulud NPM worm. It leads to the theft of tokens and credentials, followed by self-propagation to other NPM packages owned by the user. The exploitation is trivial once the malicious package is installed.
Affected Software
- github.com/go-jose/go-jose/v4
- <4.0.5
- github.com/go-jose/go-jose/v3
- <3.0.4
- github.com/go-jose/go-jose
- <3.0.4
Technical Details
The vulnerability is a supply chain attack where a malicious package, compromised by the Shai-Hulud NPM worm, is installed on a system. Upon installation or execution, the malicious payload activates a credential-stealing mechanism. This mechanism is designed to identify and exfiltrate sensitive information, specifically tokens and credentials, from the compromised machine. The stolen data is then published to GitHub, likely to a repository controlled by the attacker. Furthermore, the worm exhibits self-propagating behavior, modifying or publishing itself to other NPM packages owned by the compromised user, effectively spreading the compromise to other projects and potentially further down the software supply chain.
What is the Impact of CVE-2025-27144?
Successful exploitation may allow attackers to achieve full system compromise, steal sensitive credentials and tokens, facilitate further propagation of malicious software, and gain unauthorized access to other linked resources or accounts.
What is the Exploitability of CVE-2025-27144?
Exploitation is typically indirect, relying on a user installing a malicious package from a trusted repository. The complexity of the initial infection is low from the attacker's perspective, as the critical step is social engineering or compromising a package maintainer's account. No authentication or specific privilege is required beyond that needed to install a package. The attack is local to the machine where the package is installed, but its effects can propagate remotely by publishing stolen credentials. Key risk factors include reliance on public package registries, lack of vetting for third-party dependencies, and insufficient developer account security, which can lead to supply chain attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-27144?
Available Upgrade Options
- github.com/go-jose/go-jose/v3
- <3.0.4 → Upgrade to 3.0.4
- github.com/go-jose/go-jose
- <3.0.4 → Upgrade to 3.0.4
- github.com/go-jose/go-jose/v4
- <4.0.5 → Upgrade to 4.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-27144
- https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
- https://github.com/go-jose/go-jose
- https://osv.dev/vulnerability/GO-2025-3485
- https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
- https://github.com/go-jose/go-jose/releases/tag/v4.0.5
- https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
- https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
- https://github.com/golang/go/issues/71490
- https://github.com/go-jose/go-jose/releases/tag/v4.0.5
What are Similar Vulnerabilities to CVE-2025-27144?
Similar Vulnerabilities: CVE-2024-28822 , CVE-2023-38545 , CVE-2022-26134 , CVE-2021-44228 , CVE-2021-25746
