CVE-2025-54313
HIGH CISA KEVDescription
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Is your site exposed to CVE-2025-54313?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| prettier | eslint-config-prettier |
| prettier | eslint-config-prettier |
| prettier | eslint-config-prettier |
| prettier | eslint-config-prettier |
| microsoft | windows |
| prettier | eslint-plugin-prettier |
| prettier | eslint-plugin-prettier |
| microsoft | windows |
| un-ts | synckit |
| microsoft | windows |
| un-ts | pkgr\/core |
| microsoft | windows |
| alexghr | got-fetch |
| alexghr | got-fetch |
| microsoft | windows |
| un-ts | napi-postinstall |
| microsoft | windows |
| homarr | homarr |
| microsoft | windows |
References
Exploits
Other References
Frequently Asked Questions
What is CVE-2025-54313? +
How severe is CVE-2025-54313? +
What products are affected by CVE-2025-54313? +
How do I check if I'm vulnerable to CVE-2025-54313? +
Related Vulnerabilities
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm …
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 …
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest …
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after …
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing …
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string …