CVE-2025-54313
BaseFortify
Publication date: 2025-07-19
Last updated on: 2025-07-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eslint | eslint-config-prettier | 9.1.1 |
| eslint | eslint-config-prettier | 10.1.6 |
| synckit | synckit | 0.11.9 |
| napi-postinstall | napi-postinstall | 0.3.1 |
| eslint | eslint-config-prettier | 8.10.1 |
| eslint | eslint-plugin-prettier | 4.2.2 |
| @pkgr | core | 0.2.8 |
| eslint | eslint-config-prettier | 10.1.7 |
| eslint | eslint-plugin-prettier | 4.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54313 is a supply chain compromise involving the npm package eslint-config-prettier in versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. Malicious code was embedded in these versions, which, when installed, executes an install.js script that launches a malware DLL named node-gyp.dll on Windows systems. The compromise occurred after the maintainer was targeted by a phishing attack that leaked a malicious npm token, allowing the attacker to publish unauthorized malicious versions. The malicious code specifically targets Windows platforms by checking the OS and then running the DLL via rundll32. This incident highlights risks in software supply chains and the importance of verifying package provenance and securing developer credentials. [3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by causing malicious code to be executed on your Windows development or build environment when installing affected versions of eslint-config-prettier. The malware installs a DLL (node-gyp.dll) which could potentially compromise your system or development pipeline. Since eslint-config-prettier is widely used in JavaScript and TypeScript projects, many developers and CI/CD pipelines could be exposed, leading to possible unauthorized access, data compromise, or further supply chain attacks. Automated tools like Dependabot and Renovate Bot may have propagated these compromised versions, increasing the risk of exposure. Immediate impacts include potential system compromise, disruption of development workflows, and increased security risks in your software supply chain. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve auditing recent dependency updates and CI/CD pipeline logs for suspicious activity related to eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7, which are known to be compromised. Monitoring for installation of the malicious DLL named 'node-gyp.dll' on Windows systems can also help detect exploitation. Additionally, disabling npm install scripts (e.g., by setting 'ignore-scripts=true' in .npmrc) can prevent execution of malicious install scripts. Specific commands are not provided in the resources, but general steps include checking package-lock.json or yarn.lock for affected versions, and scanning for unexpected child processes invoking 'rundll32' with 'node-gyp.dll'. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include pinning eslint-config-prettier dependencies to known safe versions (versions not listed as compromised), auditing recent dependency updates and CI/CD pipeline logs for suspicious activity, and monitoring official updates from maintainers. It is also recommended to disable npm install scripts by setting 'ignore-scripts=true' in the .npmrc configuration to prevent execution of malicious code during package installation, especially on Windows systems. Using password managers to avoid typosquatting domains and training employees against phishing attacks are also advised. Finally, consider using tools or controls that detect pull requests upgrading to compromised package versions. [3, 4]