CVE-2025-57754 is a critical security vulnerability identified in the eslint-ban-moment plugin, version 3.0.0 and earlier, developed by kristoferfannar. This plugin is used as an ESLint extension, commonly integrated into JavaScript/TypeScript development environments to enforce coding standards. The vulnerability stems from the exposure of a sensitive Supabase URI containing embedded credentials (username and password) within the .env configuration file. Supabase is a backend-as-a-service platform that provides database and user management capabilities. The presence of credentials in a publicly accessible or improperly secured configuration file allows an attacker to gain unauthorized, unauthenticated remote access to the associated Supabase database. Exploitation requires no user interaction and no privileges, making it trivially exploitable over the network. Once accessed, an attacker can fully compromise the confidentiality, integrity, and availability of the database and user data, including the ability to exfiltrate, modify, or delete sensitive information. The vulnerability is classified under CWE-260 (Credentials in Configuration Files), highlighting poor credential management practices. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact and ease of exploitation. No known exploits are currently reported in the wild, but the severity and nature of the flaw make it a prime target for attackers. No official patches have been released yet, increasing the urgency for mitigation. This vulnerability is particularly dangerous in development or production environments where the .env file is inadvertently exposed or included in source code repositories or deployment packages.

For European organizations, the impact of CVE-2025-57754 can be severe, especially for those relying on the eslint-ban-moment plugin in their development pipelines or production environments that use Supabase as a backend. Unauthorized access to Supabase databases can lead to large-scale data breaches involving personal data protected under GDPR, resulting in regulatory fines, reputational damage, and loss of customer trust. The ability to modify or delete data can disrupt business operations, cause service outages, and compromise application integrity. Organizations in sectors such as finance, healthcare, and e-commerce, which handle sensitive customer or patient data, are at heightened risk. Additionally, the exposure of credentials in configuration files is a common security misconfiguration that may indicate broader weaknesses in secret management practices within affected organizations. Attackers exploiting this vulnerability could also leverage compromised databases as pivot points for further network intrusion or lateral movement. Given the critical severity and the fact that exploitation requires no authentication or user interaction, the threat poses a significant risk to European companies using this plugin or Supabase services without adequate credential protection.

Immediate mitigation steps include removing sensitive credentials from the .env file and replacing them with environment variables injected securely at runtime, using secret management tools such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. Organizations should audit their source code repositories and deployment pipelines to ensure that .env files or any files containing credentials are excluded from version control and not exposed publicly. Updating to a patched version of eslint-ban-moment once available is essential. In the absence of an official patch, consider temporarily discontinuing the use of the affected plugin version or isolating the Supabase instance with strict network access controls and IP whitelisting. Implement monitoring and alerting on database access logs to detect anomalous or unauthorized activity. Conduct a thorough review of all configuration files across projects to identify and remediate similar credential exposures. Educate developers on secure credential management best practices, including the use of environment variables and avoiding hardcoded secrets. Finally, perform a risk assessment to evaluate potential data exposure and prepare incident response plans in case of compromise.