CVE-2025-65957
📋 TL;DR
This vulnerability in Core Bot, an open-source Discord bot for Maple Hospital servers, allows sensitive API keys (SUPABASE_API_KEY, TOKEN) to be inadvertently leaked in error handling, summaries, or webhooks. The issue occurs when configuration summaries fail to properly redact sensitive data in embeds or logs. Anyone running affected versions of Core Bot is potentially impacted.
💻 Affected Systems
- Core Bot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to SUPABASE_API_KEY and TOKEN, allowing them to compromise the bot's functionality, access associated databases/services, and potentially take over Discord servers or steal sensitive data.
Likely Case
Sensitive API keys are exposed in logs or Discord embeds, leading to unauthorized access to bot-controlled resources and potential service disruption.
If Mitigated
With proper access controls and monitoring, exposure is limited to internal logs, but keys could still be compromised if logs are accessed by unauthorized parties.
🎯 Exploit Status
Exploitation requires triggering error conditions or accessing logs/embeds where sensitive data might be exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit dffe050 and later
Vendor Advisory: https://github.com/Intercore-Productions/Core-Bot/security/advisories/GHSA-42j6-x28v-38r8
Restart Required: Yes
Instructions:
1. Update to commit dffe050 or later. 2. Pull latest changes from GitHub repository. 3. Restart the bot service. 4. Rotate all exposed API keys (SUPABASE_API_KEY, TOKEN) as precaution.
🔧 Temporary Workarounds
Disable detailed error logging
allConfigure the bot to log minimal error details to prevent sensitive data exposure.
Modify logging configuration to set log level to WARNING or ERROR only
Manual key redaction
allReview and modify code to ensure API keys are properly redacted in all logging and embed generation.
Manually inspect error handling, summary, and webhook code for key exposure
🧯 If You Can't Patch
- Rotate all API keys (SUPABASE_API_KEY, TOKEN) immediately to invalidate any potentially exposed credentials.
- Implement strict access controls on logs and monitoring systems to prevent unauthorized access to sensitive data.
🔍 How to Verify
Check if Vulnerable:
Check if your Core Bot version is prior to commit dffe050 by examining git history or version metadata.Check Version:
git log --oneline | head -5Verify Fix Applied:
Verify that commit dffe050 is included in your current version and test error conditions to ensure no API keys appear in logs or embeds.📡 Detection & Monitoring
Log Indicators:
- Log entries containing SUPABASE_API_KEY=, TOKEN=, or other API key patterns in clear text
Network Indicators:
- Unusual API calls to Supabase or Discord using potentially leaked keys
SIEM Query:
source="core-bot-logs" AND ("SUPABASE_API_KEY" OR "TOKEN" OR "api_key")