Cyber Resilience

CVE-2025-54313

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 19 July 2025

Published
19 July 2025
Modified
23 January 2026
KEV Added
22 January 2026
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.1250 94.1th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54313 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Microsoft Windows. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 5.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-12 (Supply Chain Protection).

Deeper analysis

eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 contain embedded malicious code as part of a supply chain compromise. The affected component is the npm package itself; installation triggers execution of an install.js script that drops and launches the node-gyp.dll malware on Windows systems. The vulnerability carries a CVSS 7.5 score reflecting network attack vector, high complexity, and impacts primarily to integrity with limited confidentiality effects under CWE-506.

An attacker who publishes or substitutes the malicious package versions can achieve code execution on any system that installs or updates to those releases. No authentication or user interaction beyond a standard package installation is required, allowing the malware to run in the context of the installing user on Windows.

Public references including the package repository issue, Socket.dev analysis, and BleepingComputer reporting describe the incident as resulting from a phishing campaign that compromised maintainer credentials for multiple Prettier-related tooling packages. The EPSS score rose from a low baseline to a peak of 0.1467, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

CWE(s)
KEV Date Added
22 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Compromised npm package with embedded malicious install.js code directly enables supply chain compromise of dev dependencies (T1195.001) and automatic JavaScript execution on install (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8398Same product: Microsoft Windowsboth on KEV
CVE-2026-45321Shared CWE-506both on KEV
CVE-2025-30154Shared CWE-506both on KEV
CVE-2026-33634Shared CWE-506both on KEV
CVE-2025-30066Shared CWE-506both on KEV
CVE-2025-59374Shared CWE-506both on KEV
CVE-2026-48027Shared CWE-506both on KEV
CVE-2025-2783Same product: Microsoft Windowsboth on KEV
CVE-2025-8088Same product: Microsoft Windowsboth on KEV
CVE-2026-34621Same product: Microsoft Windowsboth on KEV

Affected Assets

prettier
eslint-config-prettier
10.1.6, 10.1.7, 8.10.1, 9.1.1
prettier
eslint-plugin-prettier
4.2.2, 4.2.3
un-ts
synckit
0.11.9
un-ts
pkgr\/core
0.2.8
alexghr
got-fetch
5.1.1, 5.1.2
un-ts
napi-postinstall
0.3.1
homarr
homarr
1.29.0 — 1.30.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and implements supply chain protections to prevent compromises like the malicious eslint-config-prettier npm package embedding executable malware.

prevent

Detects and prevents counterfeit components such as the compromised npm package with embedded install.js launching node-gyp.dll malware.

prevent

Enforces organizational policies to restrict and monitor user-installed software, blocking installation of affected eslint-config-prettier versions that auto-execute malware on Windows.

References