140 matches found
CVE-2025-64429 DuckDB Encryption Crypto implementation is vulnerable
DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator pcg32 to generate cryptographic keys or...
CVE-2025-64429
DuckDB 1.4.0–pre-1.4.2 encryption implementation is vulnerable due to multiple cryptographic weaknesses: insecure RNG (pcg32 fallback), possible memory wipe omission (memset) leaving secrets, and header manipulation could downgrade from GCM to CTR, bypassing integrity. There may also be unhandled...
DuckDB 加密问题漏洞
DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A cryptographic issue vulnerability exists in DuckDB versions 1.4.0 through prior to 1.4.2, which stems from a cryptographic implementation issue that could lead to key disclosure or bypass integrity checks...
PT-2025-46723
Name of the Vulnerable Software and Affected Versions DuckDB versions 1.4.0 through 1.4.1 Description DuckDB, a SQL database management system, contains issues related to its block-based encryption implementation introduced in version 1.4.0. The system can fall back to an insecure random number...
Malicious Package Injection
DuckDB is vulnerable to malicious package injection. The vulnerability is due to unauthorized access and compromise of the npm package publishing process, which allowed an attacker to upload malicious versions of DuckDB’s Node.js packages containing code that interfered with cryptocurrency...
EUVD-2024-0052
Malicious code in bioql PyPI...
EUVD-2025-6920
Malicious code in bioql PyPI...
EUVD-2025-7043
Malicious code in bioql PyPI...
EUVD-2025-7076
Malicious code in bioql PyPI...
CVE-2025-59037
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...
Linux Distros Unpatched Vulnerability : CVE-2024-9264
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitize...
CVE-2025-59037
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...
Embedded Malicious Code
Overview @duckdb/node-api is an API for using DuckDB in Node. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code...
Embedded Malicious Code
Overview @duckdb/duckdb-wasm is an in-process analytical SQL database for the browser. It is powered by WebAssembly, speaks Arrow fluently, reads Parquet, CSV and JSON files backed by Filesystem APIs or HTTP requests and has been tested with Chrome, Firefox, Safari and Node.js. Affected versions ...
Embedded Malicious Code
Overview @duckdb/node-bindings is a Node bindings to the DuckDB C API. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected...
Embedded Malicious Code
Overview duckdb is a Node.js API for DuckDB, the "SQLite for Analytics". The API for this client is somewhat compliant to the SQLite Node.js client for easier transition and transition you must eventually. Affected versions of this package are vulnerable to Embedded Malicious Code. This package...
CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...
CVE-2025-59037
CVE-2025-59037 covers DuckDB npm packages where four Node.js packages were briefly compromised with malware: @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected]. The malicious versions attempted to interfere with cryptocurrency transactions. DuckDB de...
CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...
CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...