CVE-2025-54313

Warnung

Medienbericht

Exploit

EPSS 4.15%
Veröffentlicht 19.07.2025 00:00:00
Zuletzt bearbeitet 23.01.2026 18:33:09
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 14

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Prettier ≫ Eslint-config-prettier Version8.10.1 SwPlatformnode.js

Microsoft ≫ Windows Version-

Prettier ≫ Eslint-config-prettier Version9.1.1 SwPlatformnode.js

Microsoft ≫ Windows Version-

Prettier ≫ Eslint-config-prettier Version10.1.6 SwPlatformnode.js

Microsoft ≫ Windows Version-

Prettier ≫ Eslint-config-prettier Version10.1.7 SwPlatformnode.js

Microsoft ≫ Windows Version-

Prettier ≫ Eslint-plugin-prettier Version4.2.2 SwPlatformnode.js

Microsoft ≫ Windows Version-

Prettier ≫ Eslint-plugin-prettier Version4.2.3 SwPlatformnode.js

Microsoft ≫ Windows Version-

Un-ts ≫ Synckit Version0.11.9 SwPlatformnode.js

Microsoft ≫ Windows Version-

Un-ts ≫ Pkgr/core Version0.2.8 SwPlatformnode.js

Microsoft ≫ Windows Version-

Alexghr ≫ Got-fetch Version5.1.1 SwPlatformnode.js

Microsoft ≫ Windows Version-

Alexghr ≫ Got-fetch Version5.1.2 SwPlatformnode.js

Microsoft ≫ Windows Version-

Un-ts ≫ Napi-postinstall Version0.3.1 SwPlatformnode.js

Microsoft ≫ Windows Version-

Homarr ≫ Homarr Version >= 1.29.0 < 1.30.0

Microsoft ≫ Windows Version-

22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Prettier eslint-config-prettier Embedded Malicious Code Vulnerability

Schwachstelle

Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.15%	0.895

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	7.5	2.2	4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE-506 Embedded Malicious Code

The product contains code that appears to be malicious in nature.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

26.01.2026 15:00

https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise

Third Party Advisory

https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/

Third Party Advisory

Exploit

https://github.com/prettier/eslint-config-prettier/issues/339

Issue Tracking

https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions

Product

https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise

Third Party Advisory

Exploit

https://news.ycombinator.com/item?id=44609732

Issue Tracking

https://news.ycombinator.com/item?id=44608811

Issue Tracking

https://github.com/community-scripts/ProxmoxVE/discussions/6115

Third Party Advisory

https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-54313

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54313

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54313

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54313

22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog