{"id":"CVE-2025-54313","details":"eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.","aliases":["GHSA-f29h-pxvx-f335"],"modified":"2026-04-10T05:34:10.663490Z","published":"2025-07-19T17:15:23.733Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313"},{"type":"WEB","url":"https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"},{"type":"ADVISORY","url":"https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"},{"type":"ADVISORY","url":"https://github.com/community-scripts/ProxmoxVE/discussions/6115"},{"type":"ADVISORY","url":"https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=44609732"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=44608811"},{"type":"REPORT","url":"https://github.com/prettier/eslint-config-prettier/issues/339"},{"type":"EVIDENCE","url":"https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"},{"type":"EVIDENCE","url":"https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alexghr/got-fetch","events":[{"introduced":"0"},{"last_affected":"91d71081b3185a6bf9c6765512947789de0f2f2a"},{"introduced":"0"},{"last_affected":"f553ecde7c2dd5e7c48f166e53bb310540b42aaa"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.1.1"},{"introduced":"0"},{"last_affected":"5.1.2"}]}},{"type":"GIT","repo":"https://github.com/homarr-labs/homarr","events":[{"introduced":"c2305d4e276e3627c18c3aaa4cbcfbb1d6388570"},{"fixed":"fd62524db309429db1f233b1d0feb8e6ab4efd2d"}],"database_specific":{"versions":[{"introduced":"1.29.0"},{"fixed":"1.30.0"}]}},{"type":"GIT","repo":"https://github.com/un-ts/pkgr","events":[{"introduced":"0"},{"last_affected":"d114886817220e2fe6c5737460edac13527096a5"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.2.8"}]}},{"type":"GIT","repo":"https://github.com/un-ts/synckit","events":[{"introduced":"0"},{"last_affected":"ebfb59dbf42f665d51e771e46dd1272b178c8295"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.3.1"}]}}],"versions":["@pkgr/es-modules@0.1.0","@pkgr/es-modules@0.2.0","@pkgr/es-modules@0.2.1","@pkgr/es-modules@0.2.2","@pkgr/es-modules@0.2.3","@pkgr/imagemin@0.1.0","@pkgr/imagemin@0.1.1","@pkgr/imagemin@0.1.2","@pkgr/imagemin@0.1.3","@pkgr/imagemin@0.1.4","@pkgr/imagemin@0.2.0","@pkgr/imagemin@0.3.0","@pkgr/imagemin@0.3.1","@pkgr/imagemin@0.3.2","@pkgr/imagemin@0.3.3","@pkgr/imagemin@0.3.4","@pkgr/imagemin@0.3.5","@pkgr/imagemin@0.3.6","@pkgr/imagemin@0.3.7","@pkgr/named-exports@0.1.0","@pkgr/named-exports@0.2.0","@pkgr/named-exports@0.2.1","@pkgr/named-exports@0.2.2","@pkgr/named-exports@0.2.3","@pkgr/named-exports@0.3.0","@pkgr/named-exports@0.4.0","@pkgr/named-exports@0.4.1","@pkgr/named-exports@0.4.2","@pkgr/named-exports@0.4.3","@pkgr/rollup@0.1.0","@pkgr/rollup@0.2.0","@pkgr/rollup@0.2.1","@pkgr/rollup@0.2.2","@pkgr/rollup@0.2.3","@pkgr/rollup@0.2.4","@pkgr/rollup@0.2.5","@pkgr/rollup@0.2.6","@pkgr/rollup@0.3.0","@pkgr/rollup@0.4.0","@pkgr/rollup@0.6.0","@pkgr/rollup@0.6.1","@pkgr/rollup@0.6.2","@pkgr/rollup@0.6.3","@pkgr/rollup@0.6.4","@pkgr/rollup@0.6.5","@pkgr/rollup@0.6.6","@pkgr/rollup@0.6.7","@pkgr/rollup@0.7.0","@pkgr/rollup@0.8.0","@pkgr/rollup@0.8.1","@pkgr/rollup@0.8.10","@pkgr/rollup@0.8.2","@pkgr/rollup@0.8.3","@pkgr/rollup@0.8.4","@pkgr/rollup@0.8.5","@pkgr/rollup@0.8.6","@pkgr/rollup@0.8.7","@pkgr/rollup@0.8.8","@pkgr/rollup@0.9.0","@pkgr/rollup@0.9.1","@pkgr/rollup@0.9.2","@pkgr/rollup@0.9.3","@pkgr/rollup@0.9.4","@pkgr/rollup@0.9.5","@pkgr/umd-globals@0.1.0","@pkgr/umd-globals@0.2.0","@pkgr/umd-globals@0.2.1","@pkgr/umd-globals@0.2.2","@pkgr/umd-globals@0.3.0","@pkgr/umd-globals@0.3.1","@pkgr/umd-globals@0.3.2","@pkgr/utils@0.1.0","@pkgr/utils@0.1.1","@pkgr/utils@0.1.2","@pkgr/utils@0.1.3","@pkgr/utils@0.1.4","@pkgr/utils@0.2.0","@pkgr/utils@0.2.1","@pkgr/utils@0.2.2","@pkgr/utils@0.3.0","@pkgr/utils@0.3.1","@pkgr/utils@0.3.2","@pkgr/utils@0.3.3","@pkgr/utils@0.3.4","@pkgr/utils@0.3.5","@pkgr/utils@0.3.6","@pkgr/utils@0.3.7","@pkgr/utils@0.3.8","@pkgr/webpack-angular@0.1.0","@pkgr/webpack-angular@0.1.1","@pkgr/webpack-angular@0.1.2","@pkgr/webpack-angular@0.1.3","@pkgr/webpack-angular@0.1.4","@pkgr/webpack-angular@0.1.5","@pkgr/webpack-angular@0.1.6","@pkgr/webpack-angular@0.1.8","@pkgr/webpack-angular@0.2.0","@pkgr/webpack-angular@0.2.1","@pkgr/webpack-angular@0.2.2","@pkgr/webpack-angular@0.2.3","@pkgr/webpack-mdx@0.1.0","@pkgr/webpack-mdx@0.1.1","@pkgr/webpack-mdx@0.1.2","@pkgr/webpack-mdx@0.1.3","@pkgr/webpack-mdx@0.1.4","@pkgr/webpack-mdx@0.1.5","@pkgr/webpack-mdx@0.1.6","@pkgr/webpack-mdx@0.1.8","@pkgr/webpack-mdx@0.2.0","@pkgr/webpack-mdx@0.2.1","@pkgr/webpack-mdx@0.2.2","@pkgr/webpack-mdx@0.2.3","@pkgr/webpack-mdx@0.2.4","@pkgr/webpack-react@0.1.0","@pkgr/webpack-react@0.2.0","@pkgr/webpack-react@0.2.1","@pkgr/webpack-react@0.2.10","@pkgr/webpack-react@0.2.11","@pkgr/webpack-react@0.2.2","@pkgr/webpack-react@0.2.3","@pkgr/webpack-react@0.2.4","@pkgr/webpack-react@0.2.5","@pkgr/webpack-react@0.2.7","@pkgr/webpack-react@0.2.8","@pkgr/webpack-react@0.2.9","@pkgr/webpack-svelte@0.1.0","@pkgr/webpack-svelte@0.1.1","@pkgr/webpack-svelte@0.1.2","@pkgr/webpack-svelte@0.1.3","@pkgr/webpack-svelte@0.1.4","@pkgr/webpack-svelte@0.1.5","@pkgr/webpack-svelte@0.1.6","@pkgr/webpack-svelte@0.1.7","@pkgr/webpack-vue@0.1.0","@pkgr/webpack-vue@0.2.0","@pkgr/webpack-vue@0.2.1","@pkgr/webpack-vue@0.2.2","@pkgr/webpack-vue@0.2.3","@pkgr/webpack-vue@0.2.4","@pkgr/webpack-vue@0.2.5","@pkgr/webpack-vue@0.2.6","@pkgr/webpack-vue@0.2.7","@pkgr/webpack-vue@0.2.8","@pkgr/webpack@0.1.0","@pkgr/webpack@0.1.1","@pkgr/webpack@0.1.2","@pkgr/webpack@0.2.0","@pkgr/webpack@0.2.1","@pkgr/webpack@0.2.2","@pkgr/webpack@0.2.3","@pkgr/webpack@0.2.4","@pkgr/webpack@0.2.5","@pkgr/webpack@0.3.0","@pkgr/webpack@0.4.0","@pkgr/webpack@0.4.1","@pkgr/webpack@0.4.10","@pkgr/webpack@0.4.11","@pkgr/webpack@0.4.12","@pkgr/webpack@0.4.13","@pkgr/webpack@0.4.14","@pkgr/webpack@0.4.16","@pkgr/webpack@0.4.2","@pkgr/webpack@0.4.3","@pkgr/webpack@0.4.4","@pkgr/webpack@0.4.5","@pkgr/webpack@0.4.6","@pkgr/webpack@0.4.7","@pkgr/webpack@0.4.8","@pkgr/webpack@0.4.9","@pkgr/webpack@0.5.0","@pkgr/webpack@0.5.1","@pkgr/webpack@0.5.2","@pkgr/webpack@0.5.3","@pkgr/webpack@0.5.4","@pkgr/webpack@0.5.5","v0.1.0","v0.1.0-alpha","v0.1.0-rc.1","v0.1.1","v0.1.2","v0.1.4","v0.1.5","v0.1.6","v0.2.0","v0.3.0","v0.3.1","v1.0.0","v1.0.0-rc.1","v1.29.0","v2.0.1","v2.0.2","v3.0.0","v4.0.0","v4.0.1","v4.0.2","v4.0.3","v5.0.0","v5.0.1","v5.0.2","v5.1.0","v5.1.1","v5.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54313.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.10.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.7"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.3"}]},{"events":[{"introduced":"0"},{"last_affected":"0.11.9"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"}]}