Supply chain risk due to CVE-2025-54313 #11242
Description
A recent vulnerability in the eslint-config-prettier package, identified as CVE-2025-54313, has raised concerns about potential remote code execution (RCE) attacks. This vulnerability specifically affects Windows users and has been classified as high severity.
Other packages vulnerable to this issue that shields uses in our supply chain include:
eslint-plugin-prettiersynckit@pkgr/corenapi-postinstall
None of the vulnerable versions seems to be used in our codebase, and to date, upstream removed vulnerable versions from npm.
However, as we used ^ prefix for these package versions, anyone running npm install on a Windows machine before the fix was applied could have been affected. For example, contributors & devs of forks. With the risk being malicious code executed on the user's machine, we recommend that anyone who has run npm install on a Windows machine with these packages check their systems for any signs of compromise.
The issue also seems to affect our CI job test-main, which runs on Windows with npm install.
This job does not have write permissions to the created GITHUB_TOKEN.
Our more sensative API key for creating review apps on fly.io is limited to an enviorment which is not used in this job.
What is exposed to this job is a bunch of read-only tokens, which are used to fetch data from our APIs and are less sensitive.
We will be working on rotating these tokens as a precaution, but we do not expect any issues to arise from this vulnerability in our CI environment.
The issue does not seem to effect our CI environment, as our only Windows job test-main uses npm ci which does not install packages with the ^ prefix, and thus does not install vulnerable versions. (thank you chris for the correction)
Currently, we are not aware of any issues in our production environment related to this vulnerability.
We will continue to monitor the situation.
A blog post PR is pending as well at #11241 to add this info to shields.io