CVE-2025-54313 - Vulnerability Details - OpenCVE

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since yesterday.

Exploitation active

Automatable no

Technical Impact partial

Vendors	Products
Alexghr	Got-fetch
Homarr	Homarr
Microsoft	Windows
Prettier	Eslint-config-prettier Eslint-plugin-prettier
Un-ts	Napi-postinstall Pkgr\/core Synckit

Configuration 1 [-]

AND

OR	cpe:2.3:a:prettier:eslint-config-prettier:8.10.1:::::node.js::
	cpe:2.3:a:prettier:eslint-config-prettier:9.1.1:::::node.js::
	cpe:2.3:a:prettier:eslint-config-prettier:10.1.6:::::node.js::
	cpe:2.3:a:prettier:eslint-config-prettier:10.1.7:::::node.js::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.2:::::node.js::
	cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.3:::::node.js::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:un-ts:synckit:0.11.9:*:*:*:*:node.js:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:un-ts:pkgr\/core:0.2.8:*:*:*:*:node.js:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

OR	cpe:2.3:a:alexghr:got-fetch:5.1.1:::::node.js::
	cpe:2.3:a:alexghr:got-fetch:5.1.2:::::node.js::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:a:un-ts:napi-postinstall:0.3.1:*:*:*:*:node.js:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.spirityenterprise.com/mdr-for-endpoint
https://www.spirityenterprise.com/supply-chain-defense
https://github.com/community-scripts/ProxmoxVE/discussions/6115
https://github.com/prettier/eslint-config-prettier/issues/339
https://news.ycombinator.com/item?id=44608811
https://news.ycombinator.com/item?id=44609732
https://nvd.nist.gov/vuln/detail/CVE-2025-54313
https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise
https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313
https://www.cve.org/CVERecord?id=CVE-2025-54313
https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only
https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions
https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise

History

Fri, 23 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Alexghr Alexghr got-fetch Homarr Homarr homarr Microsoft Microsoft windows Prettier Prettier eslint-config-prettier Prettier eslint-plugin-prettier Un-ts Un-ts napi-postinstall Un-ts pkgr\/core Un-ts synckit
CPEs		cpe:2.3:a:alexghr:got-fetch:5.1.1:::::node.js:: cpe:2.3:a:alexghr:got-fetch:5.1.2:::::node.js:: cpe:2.3:a:homarr:homarr:::::::: cpe:2.3:a:prettier:eslint-config-prettier:10.1.6:::::node.js:: cpe:2.3:a:prettier:eslint-config-prettier:10.1.7:::::node.js:: cpe:2.3:a:prettier:eslint-config-prettier:8.10.1:::::node.js:: cpe:2.3:a:prettier:eslint-config-prettier:9.1.1:::::node.js:: cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.2:::::node.js:: cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.3:::::node.js:: cpe:2.3:a:un-ts:napi-postinstall:0.3.1:::::node.js:: cpe:2.3:a:un-ts:pkgr\/core:0.2.8:::::node.js:: cpe:2.3:a:un-ts:synckit:0.11.9:::::node.js:: cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Alexghr Alexghr got-fetch Homarr Homarr homarr Microsoft Microsoft windows Prettier Prettier eslint-config-prettier Prettier eslint-plugin-prettier Un-ts Un-ts napi-postinstall Un-ts pkgr\/core Un-ts synckit

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	kev `{'dateAdded': '2026-01-22T00:00:00+00:00', 'dueDate': '2026-02-12T00:00:00+00:00'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 29 Jul 2025 12:30:00 +0000

Type	Values Removed	Values Added
Title		eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
References		https://nvd.nist.gov/vuln/detail/CVE-2025-54313 https://www.cve.org/CVERecord?id=CVE-2025-54313
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 23 Jul 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 21 Jul 2025 16:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/community-scripts/ProxmoxVE/discussions/6115 https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only

Sat, 19 Jul 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description		eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Weaknesses		CWE-506
References		https://github.com/prettier/eslint-config-prettier/issues/339 https://news.ycombinator.com/item?id=44608811 https://news.ycombinator.com/item?id=44609732 https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/ https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-19T00:00:00.000Z

Updated: 2026-01-23T04:55:18.918Z

Reserved: 2025-07-19T00:00:00.000Z

Link: CVE-2025-54313

Vulnrichment

Updated: 2025-07-21T16:09:03.150Z

NVD

Status : Analyzed

Published: 2025-07-19T17:15:23.733

Modified: 2026-01-23T18:33:09.503

Link: CVE-2025-54313

Redhat

Severity : Important

Publid Date: 2025-07-19T00:00:00Z

Links: CVE-2025-54313 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-54313", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-01-23T04:55:18.918Z", "dateReserved": "2025-07-19T00:00:00.000Z", "datePublished": "2025-07-19T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "eslint-config-prettier", "vendor": "prettier", "versions": [{"status": "affected", "version": "8.10.1", "versionType": "semver"}, {"status": "affected", "version": "9.1.1", "versionType": "semver"}, {"status": "affected", "version": "10.1.6", "versionType": "semver"}, {"status": "affected", "version": "10.1.7", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "description": "CWE-506 Embedded Malicious Code", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-07-19T16:43:13.088Z"}, "references": [{"url": "https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"}, {"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"}, {"url": "https://github.com/prettier/eslint-config-prettier/issues/339"}, {"url": "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"}, {"url": "https://news.ycombinator.com/item?id=44609732"}, {"url": "https://news.ycombinator.com/item?id=44608811"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-07-21T16:09:03.150Z"}, "references": [{"url": "https://github.com/community-scripts/ProxmoxVE/discussions/6115"}, {"url": "https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}, {"references": [{"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/", "tags": ["exploit"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313", "tags": ["government-resource"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-54313"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2026-01-22", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T04:55:18.918Z"}, "timeline": [{"time": "2026-01-22T00:00:00+00:00", "lang": "en", "value": "CVE-2025-54313 added to CISA KEV"}]}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/community-scripts/ProxmoxVE/discussions/6115"}, {"url": "https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-07-21T16:09:03.150Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54313", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T18:24:35.903130Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2026-01-22", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313"}}}], "references": [{"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/", "tags": ["exploit"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T14:44:00.748Z"}, "timeline": [{"lang": "en", "time": "2026-01-22T00:00:00+00:00", "value": "CVE-2025-54313 added to CISA KEV"}]}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"}}], "affected": [{"vendor": "prettier", "product": "eslint-config-prettier", "versions": [{"status": "affected", "version": "8.10.1", "versionType": "semver"}, {"status": "affected", "version": "9.1.1", "versionType": "semver"}, {"status": "affected", "version": "10.1.6", "versionType": "semver"}, {"status": "affected", "version": "10.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"}, {"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"}, {"url": "https://github.com/prettier/eslint-config-prettier/issues/339"}, {"url": "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"}, {"url": "https://news.ycombinator.com/item?id=44609732"}, {"url": "https://news.ycombinator.com/item?id=44608811"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "CWE-506 Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-07-19T16:43:13.088Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54313", "state": "PUBLISHED", "dateUpdated": "2026-01-23T04:55:18.918Z", "dateReserved": "2025-07-19T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-07-19T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cisaActionDue": "2026-02-12", "cisaExploitAdd": "2026-01-22", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Prettier eslint-config-prettier Embedded Malicious Code Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prettier:eslint-config-prettier:8.10.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "B43B0C8D-0662-45E9-ADA9-AA6A8A5AC042", "vulnerable": true}, {"criteria": "cpe:2.3:a:prettier:eslint-config-prettier:9.1.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "9CAD3812-C7C4-443C-BFFE-3B7751EBCB38", "vulnerable": true}, {"criteria": "cpe:2.3:a:prettier:eslint-config-prettier:10.1.6:*:*:*:*:node.js:*:*", "matchCriteriaId": "64749F3A-C896-4133-8C21-4C2439780CB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:prettier:eslint-config-prettier:10.1.7:*:*:*:*:node.js:*:*", "matchCriteriaId": "C9CE9AC7-568C-43CF-8417-ADA21CECB3A5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "3A8983B4-86E8-4B13-95A1-EEF13107122B", "vulnerable": true}, {"criteria": "cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.3:*:*:*:*:node.js:*:*", "matchCriteriaId": "F22A30A9-BA7F-4B49-8C9B-547E79F1CD46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:un-ts:synckit:0.11.9:*:*:*:*:node.js:*:*", "matchCriteriaId": "92E47D68-A074-4FFD-8A7C-91BC032A95E1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:un-ts:pkgr\\/core:0.2.8:*:*:*:*:node.js:*:*", "matchCriteriaId": "CDB0E59B-E301-4686-88E0-A107B823FE77", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alexghr:got-fetch:5.1.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "9839FE3B-999A-4CA8-AE29-C6854B13A1FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:alexghr:got-fetch:5.1.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "6AA8D543-56F5-438E-B99B-ECD89642C416", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:un-ts:napi-postinstall:0.3.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "044AD411-E619-4FAE-8506-3C44FBBC5666", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3427958-A7B3-4FBA-A8D8-7F04C04E5F2F", "versionEndExcluding": "1.30.0", "versionStartIncluding": "1.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."}, {"lang": "es", "value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6 y 10.1.7 contiene c\u00f3digo malicioso que compromete la cadena de suministro. Al instalar un paquete afectado, se ejecuta un archivo install.js que lanza el malware node-gyp.dll en Windows."}], "id": "CVE-2025-54313", "lastModified": "2026-01-23T18:33:09.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-07-19T17:15:23.733", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/prettier/eslint-config-prettier/issues/339"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=44608811"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=44609732"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/community-scripts/ProxmoxVE/discussions/6115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise", "id": "2382071", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2382071"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-506", "details": ["eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.", "A flaw was found in eslint-config-prettier. An affected version contains embedded malicious code that executes an `install.js` file during package installation. This script launches the `node-gyp.dll` malware on Windows systems, allowing a remote attacker to execute arbitrary code."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-54313", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "mtv-candidate/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Not affected", "package_name": "openshift-lightspeed/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-codeflare-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-codeflare-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-data-science-pipelines-operator-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-data-science-pipelines-operator-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kf-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kf-notebook-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kuberay-operator-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kuberay-operator-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kueue-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kueue-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlmd-grpc-server-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlmd-grpc-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-driver-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-launcher-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-runtime-generic-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-runtime-generic-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mm-rest-proxy-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mm-rest-proxy-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-modelmesh-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-modelmesh-runtime-adapter-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-modelmesh-serving-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-modelmesh-serving-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-registry-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-registry-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-registry-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-notebook-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-rhel8-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/tempo-jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-extensions-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-rhel8-operator", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/must-gather-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.kie-process-migration-service", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Not affected", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}], "public_date": "2025-07-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-54313\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-54313\nhttps://github.com/prettier/eslint-config-prettier/issues/339\nhttps://news.ycombinator.com/item?id=44608811\nhttps://news.ycombinator.com/item?id=44609732\nhttps://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise\nhttps://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/\nhttps://www.npmjs.com/package/eslint-config-prettier?activeTab=versions\nhttps://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"], "statement": "No affected versions of eslint-config-prettier are shipped in any Red Hat products.", "threat_severity": "Important"}