CVE-2025-32965: xrpl.js supply-chain key theft
CVE-2025-32965 (xrpl.js supply-chain key theft) is a supply-chain compromise (malicious code / key exfiltration) vulnerability in xrpl (npm). As of 2026-06-18 it carries a low 0.79% probability of exploitation in the next 30 days (EPSS). It is fixed in 4.2.5 / 2.14.3 — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| EPSS (exploit probability, 30d) | 0.8% · 51th percentile |
| Vulnerability type | Supply-Chain Compromise (malicious code / key exfiltration) |
| Affected package | xrpl (npm) |
| Fixed in | 4.2.5 / 2.14.3 |
What is CVE-2025-32965?
Several npm releases of the official XRP Ledger JavaScript SDK (xrpl) were hijacked to include malicious code that exfiltrated private keys and secrets to an attacker-controlled endpoint. Any application pinned to a poisoned version (4.2.1-4.2.4 or 2.14.2) risked silent theft of wallet keys; affected users had to rotate keys. Clean releases 4.2.5 and 2.14.3 remove the implant.
Is CVE-2025-32965 exploitable?
CVE-2025-32965 has an EPSS score of 0.8% (51th percentile), meaning a low 0.79% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, which scores as Critical severity. It is a supply-chain compromise (malicious code / key exfiltration) issue.
What is the EPSS score for CVE-2025-32965?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2025-32965 is 0.8% (51th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2025-32965?
Upgrade xrpl to 4.2.5 / 2.14.3 or later. Several npm releases of the official XRP Ledger JavaScript SDK (xrpl) were hijacked to include malicious code that exfiltrated private keys and secrets to an attacker-controlled endpoint. Any application pinned to a poisoned version (4.2.1-4.2.4 or 2.14.2) risked silent theft of wallet keys; affected users had to rotate keys. Clean releases 4.2.5 and 2.14.3 remove the implant.
Am I affected by CVE-2025-32965?
You are affected if your project (directly or transitively) depends on a vulnerable version of xrpl in the npm ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.