CVE-2025-10894

EPSS 0.09%
Veröffentlicht 24.09.2025 22:15:35
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Nx: nx/devkit: malicious versions of nx and plugins published to npm

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 12 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx

Default Statusunaffected

Version 20.12.0

Status affected

Version 21.8.0

Status affected

Version 21.7.0

Status affected

Version 20.11.0

Status affected

Version 21.6.0

Status affected

Version 20.10.0

Status affected

Version 20.9.0

Status affected

Version 21.5.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/devkit

Default Statusunaffected

Version 20.9.0

Status affected

Version 21.5.0

Status affected

Collection URLhttps://nx.dev/powerpack

≫

Paket nx/enterprise-cloud

Default Statusunaffected

Version 3.2.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/eslint

Default Statusunaffected

Version 21.5.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/js

Default Statusunaffected

Version 20.9.0

Status affected

Version 21.5.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/key

Default Statusunaffected

Version 3.2.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/node

Default Statusunaffected

Version 20.9.0

Status affected

Version 21.5.0

Status affected

Collection URLhttps://github.com/nrwl/nx

≫

Paket nx/workspace

Default Statusunaffected

Version 20.9.0

Status affected

Version 21.5.0

Status affected

HerstellerRed Hat

≫

Produkt Multicluster Global Hub

Default Statusunaffected

HerstellerRed Hat

≫

Produkt OpenShift Serverless

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat Advanced Cluster Management for Kubernetes 2

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat Ansible Automation Platform 2

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.245

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-506 Embedded Malicious Code

The product contains code that appears to be malicious in nature.

https://access.redhat.com/security/cve/CVE-2025-10894

https://access.redhat.com/security/supply-chain-attacks-NPM-packages

https://bugzilla.redhat.com/show_bug.cgi?id=2396282

https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c

https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware

https://www.wiz.io/blog/s1ngularity-supply-chain-attack

https://nvd.nist.gov/vuln/detail/CVE-2025-10894

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-10894

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-10894

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-10894