CRITICAL🇵🇱 Wersja polska

CVE-2025-57754

CVSS 9.8v3.1pub. 2025-08-21upd. 2026-04-15

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion.

🤖 AI Analysis
How it works

An error was made in the project repository by placing a .env file containing a sensitive Supabase URI directly in the source code (CWE-260 — Password in Configuration File). The URI contains embedded authentication credentials (username and password) that are publicly accessible to anyone with access to the repository. An attacker can directly use these credentials to authenticate to the Supabase instance without any additional interaction with the victim.

Impact

An attacker gains full, unauthorized control over the Supabase database and user data, which may lead to data exfiltration, modification, or permanent deletion.

Mitigation & patch

The exposed Supabase authentication credentials must be immediately revoked (rotated) — changing the application code without revoking the credentials does not eliminate the threat, as the repository history may still contain sensitive information. Patches available from the vendor should be applied according to references (commit bc2d2f9d23e6ae961a23e0d769e0722870b11108). It is recommended to review Git history for other exposed secrets and implement secret detection tools in the CI/CD pipeline.

Who is affected

eslint-ban-moment version 3.0.0 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References