SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54313

CVE-2025-54313: eslint-config-prettier Supply Chain RCE

CVE-2025-54313 is a supply chain RCE vulnerability in eslint-config-prettier that executes malicious code during package installation. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-54313 Overview

eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 contain embedded malicious code designed for a supply chain compromise. When an affected package is installed, it executes an install.js file that deploys the node-gyp.dll malware on Windows systems.

Critical Impact

This vulnerability allows attackers to execute malicious code by exploiting the package's installation process.

Affected Products

  • eslint-config-prettier 8.10.1
  • eslint-config-prettier 9.1.1
  • eslint-config-prettier 10.1.6

Discovery Timeline

  • 2025-07-19 - CVE-2025-54313 published to NVD
  • 2025-07-23 - Last updated in NVD database

Technical Details for CVE-2025-54313

Vulnerability Analysis

The eslint-config-prettier package was compromised to include a malicious script, install.js, which executes upon installation. This script activates a payload, node-gyp.dll, tailored for Windows environments to execute hidden tasks, potentially evading antivirus software by operating in stealth mode.

Root Cause

The root cause of this vulnerability is the inclusion of malicious code within the package’s installation script, allowing attackers to execute arbitrary code during the package installation on Windows.

Attack Vector

Network

javascript
// Example exploitation code (sanitized)
var fs = require('fs');
var path = require('path');

fs.copyFileSync(path.join(__dirname, 'node-gyp.dll'), 'C:\temp\node-gyp.dll');
// Runs malicious DLL
require('child_process').exec('regsvr32 C:\temp\node-gyp.dll');

Detection Methods for CVE-2025-54313

Indicators of Compromise

  • Unexpected creation of node-gyp.dll in system directories
  • Execution logs pointing to install.js
  • Network anomalies corresponding to package installation

Detection Strategies

Utilize endpoint protection solutions like SentinelOne to monitor for abnormal file creation and execution attempts linked with node-gyp.dll. Set up alerts for unrecognized scripts triggering executable files on Windows.

Monitoring Recommendations

Regularly audit package installations and monitor file integrity to detect unauthorized changes. Employ behavioral analysis to identify irregular script executions and network communications.

How to Mitigate CVE-2025-54313

Immediate Actions Required

  • Uninstall affected eslint-config-prettier versions immediately
  • Isolate compromised systems from network
  • Conduct thorough forensic analysis of affected systems

Patch Information

No official patch is yet available. Monitor npmjs.com for updates.

Workarounds

Consider locking package dependencies to known safe versions pre-dating the compromise. Enable strict audit policies on npm installations to flag potential compromises.

bash
# Configuration example
npm install [email protected] --no-audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne