CVE-2025-54313

🗓️ 19 Jul 2025 00:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 70 Views

eslint-config-prettier versions 8.10.1 to 10.1.7 contain malicious code for supply chain attacks.

Reporter	Title	Published	Views	Family All 21
GithubExploit	Exploit for CVE-2025-54313	26 Jul 202511:32	–	githubexploit
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	12 Nov 202507:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in eslint-config-prettier	6 Oct 202519:10	–	ibm
Circl	CVE-2025-54313	20 Jul 202500:35	–	circl
CISA KEV Catalog	Prettier eslint-config-prettier Embedded Malicious Code Vulnerability	22 Jan 202600:00	–	cisa_kev
CISA	CISA Adds Four Known Exploited Vulnerabilities to Catalog	22 Jan 202612:00	–	cisa
CNNVD	eslint-config-prettier 安全漏洞	19 Jul 202500:00	–	cnnvd
Cvelist	CVE-2025-54313	19 Jul 202500:00	–	cvelist
EUVD	EUVD-2025-21972	3 Oct 202520:07	–	euvd
Github Security Blog	eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code	19 Jul 202518:30	–	github

NVD

Vulners

Node

prettier eslint-config-prettierMatch8.10.1node.js

prettier eslint-config-prettierMatch9.1.1node.js

prettier eslint-config-prettierMatch10.1.6node.js

prettier eslint-config-prettierMatch10.1.7node.js

AND

microsoft windowsMatch-

Node

prettier eslint-plugin-prettierMatch4.2.2node.js

prettier eslint-plugin-prettierMatch4.2.3node.js

AND

microsoft windowsMatch-

Node

un-ts synckitMatch0.11.9node.js

AND

microsoft windowsMatch-

Node

un-ts pkgr/coreMatch0.2.8node.js

AND

microsoft windowsMatch-

Node

alexghr got-fetchMatch5.1.1node.js

alexghr got-fetchMatch5.1.2node.js

AND

microsoft windowsMatch-

Node

un-ts napi-postinstallMatch0.3.1node.js

AND

microsoft windowsMatch-

Node

homarr homarrRange1.29.0–1.30.0

AND

microsoft windowsMatch-

[
  {
    "defaultStatus": "unaffected",
    "product": "eslint-config-prettier",
    "vendor": "prettier",
    "versions": [
      {
        "status": "affected",
        "version": "8.10.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "9.1.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "10.1.6",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "10.1.7",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
socket	www.socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise
news	www.news.ycombinator.com/item
stepsecurity	www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise
bleepingcomputer	www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
npmjs	www.npmjs.com/package/eslint-config-prettier
news	www.news.ycombinator.com/item
github	www.github.com/prettier/eslint-config-prettier/issues/339
endorlabs	www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog
github	www.github.com/community-scripts/ProxmoxVE/discussions/6115

23 Jan 2026 18:33Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.17.5

EPSS0.12502

SSVC