VSA-2025-001: npm supply chain attack
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-09-10 | 2025-09-10 | 🟢 Low | 8.6 and 9.3 | - Xen Orchestra (dev only) - XOA (not affected) |
Several CVEs with high upstream scores were published. For Vates products, we classify the impact as Low, since none of the affected dependencies are shipped in production. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
A recent supply chain attack targeted the NPM ecosystem, injecting malicious code into certain package versions. We have conducted a thorough review of Xen Orchestra (XO) and its dependencies to assess potential exposure.
Impact​
Production environments​
For both XOA and XO from source, there is no impact, because none of the compromised dependency versions were bundled. You are not affected.
Development environments​
Development environments could be potentially affected only if developers:
- Ignored or bypassed the
yarn.lockdependency lock file. - Explicitly installed the compromised package versions.
Affected Versions​
- Xen Orchestra Appliance (XOA): Not affected.
- XO from source (production deployments): Not affected.
- XO development environments: Potential exposure only if dependency lock was overridden and malicious versions were installed.
Mitigation​
Regular XOA users or XO from source production deployments are not affected and no action is required.
For development environments:
- Ensure the
yarn.lockfile is respected when installing dependencies. - Update to the latest dependencies from the GitHub repository.
Resolution​
As of 2025-09-09, all dependencies have been updated in the official Xen Orchestra GitHub repository. Both developers and users are protected moving forward.
Credits​
Thanks to Socket (link in reference) and the open-source security community for rapid disclosure of the NPM compromise.