Supply Chain Compromise in eslint-config-prettier Affects Multiple Versions
CVE-2025-54313

7.5HIGH

Key Information:

Vendor: Prettier
Status: Eslint-config-prettier
Vendor: CVE Published:; 19 July 2025

What is CVE-2025-54313?

The eslint-config-prettier package has been compromised, with malicious code embedded in versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. The compromised install.js file executes when the package is installed, resulting in the activation of node-gyp.dll malware on Windows systems. This incident highlights the importance of supply chain security, emphasizing the risks associated with using third-party libraries in development workflows.

Affected Version(s)

eslint-config-prettier 8.10.1

eslint-config-prettier 9.1.1

eslint-config-prettier 10.1.6

References

https://socket.dev/blog/npm-phishing-campaign-leads-to-pr...

https://www.bleepingcomputer.com/news/security/popular-np...

https://github.com/prettier/eslint-config-prettier/issues...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 19, 2025

Prettier

What is CVE-2025-54313?

Affected Version(s)

References

CVSS V3.1

Timeline