CVE-2025-57754
📋 TL;DR
The eslint-ban-moment ESLint plugin versions 3.0.0 and earlier expose a sensitive Supabase URI with embedded credentials in the .env file. This allows attackers to gain complete unauthorized access to the associated Supabase database, potentially leading to data theft, modification, or destruction. Anyone using the vulnerable versions of this plugin is affected.
💻 Affected Systems
- eslint-ban-moment
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Supabase database with exfiltration of all sensitive data, modification or deletion of database contents, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to database leading to data exfiltration or manipulation of user data and application content.
If Mitigated
Limited impact if proper access controls, network segmentation, and credential rotation are implemented.
🎯 Exploit Status
Exploitation requires access to the .env file containing the Supabase URI, which may be exposed through source code repositories, build artifacts, or misconfigured deployments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1
Vendor Advisory: https://github.com/kristoferfannar/eslint-ban-moment/security/advisories/GHSA-2486-4cjg-pw98
Restart Required: No
Instructions:
1. Update eslint-ban-moment to version 3.0.1 or later using npm: npm update eslint-ban-moment. 2. Verify the .env file no longer contains the Supabase URI. 3. Rotate all Supabase credentials immediately.
🔧 Temporary Workarounds
Remove Supabase URI from .env
allManually remove the exposed Supabase URI from the .env file and rotate credentials
# Edit .env file and remove SUPABASE_URL line
# Rotate Supabase credentials in Supabase dashboard
Restrict file permissions
linuxSet strict permissions on .env file to prevent unauthorized access
chmod 600 .env
chown root:root .env
🧯 If You Can't Patch
- Immediately rotate all Supabase database credentials and API keys
- Implement network segmentation to restrict database access to authorized IPs only
🔍 How to Verify
Check if Vulnerable:
Check package.json for eslint-ban-moment version 3.0.0 or earlier, and inspect .env file for exposed Supabase URICheck Version:
npm list eslint-ban-momentVerify Fix Applied:
Verify eslint-ban-moment version is 3.0.1 or later and .env file no longer contains Supabase credentials📡 Detection & Monitoring
Log Indicators:
- Unusual database access patterns from unexpected IP addresses
- Failed authentication attempts followed by successful access
Network Indicators:
- Database connections from unauthorized IP ranges
- Unusual data export traffic patterns
SIEM Query:
source="supabase" AND (event_type="authentication" OR event_type="query") AND src_ip NOT IN [authorized_ips]