CVE-2025-57754

VIHU · eslint-ban-moment

The eslint-ban-moment plugin for VIHU exposes sensitive Supabase connection URIs containing credentials within the .env file in versions 3.0.0 and earlier.

Executive summary

The eslint-ban-moment plugin for VIHU contains a critical information disclosure vulnerability that exposes sensitive database credentials, potentially allowing unauthorized access to backend systems.

Vulnerability

This is an information disclosure vulnerability where the plugin inadvertently leaks a Supabase URI—complete with embedded username and password—into the local environment configuration file. The vulnerability is accessible to any entity with read access to the .env file, requiring no specific authentication to the database itself once the credentials are harvested.

Business impact

The exposure of Supabase credentials poses a severe risk to data confidentiality and integrity, as an attacker could gain full administrative access to the associated database. With a CVSS score of 9.8, this flaw represents a critical threat that could lead to complete data exfiltration, unauthorized modification of records, or total compromise of the application’s backend infrastructure.

Remediation

Immediate Action: Audit the .env files in all environments using eslint-ban-moment 3.0.0 or earlier to identify and rotate any exposed Supabase credentials immediately.

Proactive Monitoring: Review Supabase access logs for anomalous login patterns or connections originating from unexpected IP addresses.

Compensating Controls: Implement stricter file system permissions to restrict access to sensitive configuration files and ensure environment variables are managed through secure secret management solutions rather than flat files.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of exposed administrative credentials, organizations must prioritize the rotation of all Supabase secrets that may have been stored in an environment configuration file. Ensure that the eslint-ban-moment plugin is updated or replaced to prevent future credential leakage.