CVE-2025-54313
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
7.5
HIGH
CVSS 3.1
⚠ KEVEPSS 14.7%
Description
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
How to fix CVE-2025-54313
To remediate CVE-2025-54313, upgrade the affected package to a fixed version below.
- —upgrade to 8.10.2 or later
- —upgrade to 4.2.4 or later
- —upgrade to 6.0.0 or later
- —upgrade to 0.3.2 or later
- —upgrade to 0.2.9 or later
- —upgrade to 0.11.10 or later
Is CVE-2025-54313 being exploited?
Yes — CVE-2025-54313 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (6)
- >= 8.10.1, < 8.10.2
- >= 4.2.2, < 4.2.4
- >= 5.1.11, < 6.0.0
- >= 0.3.1, < 0.3.2
- >= 0.2.8, < 0.2.9
- >= 0.11.9, < 0.11.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N |