CVE-2025-54428
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-07-29

Assigner: GitHub, Inc.

Description
RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54428
EUVD
EUVD-2025-22952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
revelacode revelacode-backend 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

In versions of RevelaCode below 1.0.1, a valid MongoDB Atlas URI containing an embedded username and password was accidentally committed to a public repository. This exposure could allow unauthorized individuals to access production or staging databases, potentially leading to unauthorized data access or manipulation.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to your production or staging databases, which may result in data exfiltration, modification, or deletion. Such impacts can compromise the confidentiality, integrity, and availability of your data.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve auditing recent access logs for suspicious activity related to the exposed MongoDB Atlas database. Specific commands depend on your logging and monitoring setup, but generally, you can check MongoDB Atlas logs for unusual connections or queries. For example, using MongoDB Atlas UI or API to review recent connection logs or using commands like 'mongosh' to query the system.profile collection if profiling is enabled. However, no specific commands are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include rotating credentials for the exposed database user to invalidate the leaked credentials, using a secret manager (such as Vault, Doppler, AWS Secrets Manager) instead of storing secrets directly in code, and auditing recent access logs for suspicious activity to identify potential unauthorized access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart