CVE-2025-54313

KEV
Published: Lug 19, 2025 Last Modified: Gen 23, 2026 EU-VD ID: EUVD-2025-21972
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: high
Availability: none

Description

AI Translation Available

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0002
Percentile
0,1th
Updated

EPSS Score Trend (Last 90 Days)

506

Embedded Malicious Code

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Napi-Postinstall by Un-Ts

Product Information
Vendor Un-Ts
Product Napi-Postinstall
Version 0.3.1
cpe:2.3:a:un-ts:napi-postinstall:0.3.1:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Plugin-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Plugin-Prettier
Version 4.2.2
cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.2:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Config-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Config-Prettier
Version 10.1.6
cpe:2.3:a:prettier:eslint-config-prettier:10.1.6:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Got-Fetch by Alexghr

Product Information
Vendor Alexghr
Product Got-Fetch
Version 5.1.2
cpe:2.3:a:alexghr:got-fetch:5.1.2:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Synckit by Un-Ts

Product Information
Vendor Un-Ts
Product Synckit
Version 0.11.9
cpe:2.3:a:un-ts:synckit:0.11.9:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Got-Fetch by Alexghr

Product Information
Vendor Alexghr
Product Got-Fetch
Version 5.1.1
cpe:2.3:a:alexghr:got-fetch:5.1.1:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Config-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Config-Prettier
Version 9.1.1
cpe:2.3:a:prettier:eslint-config-prettier:9.1.1:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Config-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Config-Prettier
Version 8.10.1
cpe:2.3:a:prettier:eslint-config-prettier:8.10.1:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Config-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Config-Prettier
Version 10.1.7
cpe:2.3:a:prettier:eslint-config-prettier:10.1.7:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Pkgr\/Core by Un-Ts

Product Information
Vendor Un-Ts
Product Pkgr\/Core
Version 0.2.8
cpe:2.3:a:un-ts:pkgr\/core:0.2.8:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Eslint-Plugin-Prettier by Prettier

Product Information
Vendor Prettier
Product Eslint-Plugin-Prettier
Version 4.2.3
cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.3:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Homarr by Homarr

Product Information
Vendor Homarr
Product Homarr
Version Range Affected
From 1.29.0 (inclusive)
To 1.30.0 (exclusive)
cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.bleepingcomputer.com/news/security/popular-npm-…
https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hija…
https://www.cisa.gov/known-exploited-vulnerabilities-catalo…
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025…
https://github.com/community-scripts/ProxmoxVE/discussions/…
https://github.com/community-scripts/ProxmoxVE/discussions/6115
https://www.endorlabs.com/learn/cve-2025-54313-eslint-confi…
https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromis…
https://github.com/prettier/eslint-config-prettier/issues/3…
https://github.com/prettier/eslint-config-prettier/issues/339
https://news.ycombinator.com/item?id=44608811
https://news.ycombinator.com/item?id=44608811
https://news.ycombinator.com/item?id=44609732
https://news.ycombinator.com/item?id=44609732
https://socket.dev/blog/npm-phishing-campaign-leads-to-pret…
https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-package…
https://www.bleepingcomputer.com/news/security/popular-npm-…
https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hija…
https://www.npmjs.com/package/eslint-config-prettier?active…
https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions
https://www.stepsecurity.io/blog/supply-chain-security-aler…
https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-pret…