CVE-2025-59039

Summary

Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware. This includes the extremely popular jsdelivr hosting of this file. The maintainers of PUC unpublished version 1.17.3. Users should see Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 as soon as possible to avoid similar attacks in the future.

Affected Software

VendorProductVersion RangeStatus
prebidprebid-universal-creative= 1.17.3affected

Weaknesses

  • CWE-506: CWE-506: Embedded Malicious Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References