CVE-2025-65957 Overview
CVE-2025-65957 is an information disclosure vulnerability in Core Bot, an open source Discord bot used for maple hospital servers. The bot loads sensitive API keys including SUPABASE_API_KEY and TOKEN through environment variables. However, error handlers, summary embeds, and webhook routines fail to redact these values before emitting them. Operators running affected commits before dffe050 may leak credentials into Discord channels and log destinations. The flaw is tracked as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Maintainers shipped a fix in commit dffe050 that introduces a redaction helper for sensitive strings.
Critical Impact
Disclosure of SUPABASE_API_KEY and bot TOKEN enables attackers to take over the Discord bot, impersonate it, and reach the backing Supabase database.
Affected Products
- Intercore-Productions Core-Bot prior to commit dffe050
- Deployments using SUPABASE_API_KEY and TOKEN environment variables
- Self-hosted maple hospital Discord server bot instances
Discovery Timeline
- 2025-11-26 - CVE-2025-65957 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-65957
Vulnerability Analysis
Core Bot loads its Supabase API key and Discord bot token from environment variables at startup. While this approach keeps secrets out of source control, the codebase reuses the in-memory values inside diagnostic helpers. Error handlers, configuration summary embeds, and webhook payloads serialize configuration objects without sanitization. When a runtime exception fires or an administrator triggers a status command, the bot can include the raw token values in the response sent to a Discord channel.
An attacker with read access to any channel that receives these summaries can capture the credentials. Possession of the bot token permits full control of the bot's Discord identity, while the Supabase key permits direct access to the backing database with whatever role that key encodes.
Root Cause
The root cause is missing output sanitization on sensitive configuration fields. The code paths in bot.py that build embeds, log lines, and webhook bodies trusted the source of the configuration object rather than scrubbing fields by name. No allow-list or redaction wrapper guarded the serialization step before the patch.
Attack Vector
Exploitation requires the attacker to observe a channel, log sink, or webhook endpoint that receives a configuration summary or unhandled exception trace. Triggering a known faulty command or waiting for a scheduled summary is sufficient. The attacker then extracts the leaked TOKEN or SUPABASE_API_KEY and authenticates directly to the Discord API or Supabase project.
# Source: https://github.com/Intercore-Productions/Core-Bot/commit/dffe050d565a580edfcd0242efa45da88ab31260
"Content-Type": "application/json"
}
+# --- redact secret ---
+def redact_secret(value: str, show_start: int = 6, show_end: int = 4) -> str:
+ try:
+ if not value or not isinstance(value, str):
+ return "<redacted>"
+ if len(value) <= (show_start + show_end + 4):
+ return "<redacted>"
+ return f"{value[:show_start]}...{value[-show_end:]}"
+ except Exception:
+ return "<redacted>"
+
# --- Database Function ---
def init_db():
pass
The patch adds a redact_secret helper that returns <redacted> for short or non-string inputs and otherwise emits only the first six and last four characters. Maintainers wrap secret values with this helper before any embed, log, or webhook serialization.
Detection Methods for CVE-2025-65957
Indicators of Compromise
- Discord channel messages or embed fields containing strings matching the Discord bot token pattern ([A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}).
- Log entries or webhook payloads containing the literal keys SUPABASE_API_KEY or TOKEN paired with non-redacted values.
- Unexpected Supabase API requests originating from IP addresses outside the bot's hosting environment.
- New Discord bot sessions or gateway connections from unknown geographic locations.
Detection Strategies
- Grep historical Discord channel exports and bot log files for high-entropy strings adjacent to error stack traces or status embed titles.
- Diff deployed bot.py against the upstream dffe050 commit to confirm the redact_secret helper is present and used at every embed and log site.
- Audit Supabase access logs for queries authenticated with the project API key from unfamiliar user agents or networks.
Monitoring Recommendations
- Forward bot stdout, stderr, and webhook traffic into a centralized log store and alert on regex matches for token formats.
- Enable Discord audit log review for the bot account to flag unexpected message edits, permission changes, or guild additions.
- Monitor Supabase service role usage and rotate keys on any anomaly.
How to Mitigate CVE-2025-65957
Immediate Actions Required
- Update the Core-Bot deployment to a build that includes commit dffe050 or later.
- Rotate the Discord bot TOKEN through the Discord Developer Portal and revoke the previous token.
- Rotate SUPABASE_API_KEY and any other Supabase service keys exposed to the bot process.
- Purge Discord channels, log archives, and webhook receivers of historical messages that may contain leaked secrets.
Patch Information
The fix is committed in Intercore-Productions/Core-Bot commit dffe050. Additional context is available in the GitHub Security Advisory GHSA-42j6-x28v-38r8. Operators should pull the latest main branch and redeploy.
Workarounds
- Disable status, summary, and debug commands until the patched commit is deployed.
- Route bot error output to a private log sink that no untrusted user can read, and strip secret fields with a wrapper similar to redact_secret before any embed or webhook send.
- Scope the Supabase key to the minimum required role to limit the blast radius if it leaks again.
# Configuration example: update and restart Core-Bot with redaction patch
cd Core-Bot
git fetch origin
git checkout dffe050d565a580edfcd0242efa45da88ab31260
pip install -r requirements.txt
# rotate credentials before restart
export TOKEN="<new-discord-bot-token>"
export SUPABASE_API_KEY="<new-supabase-key>"
systemctl restart core-bot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

