CVE-2025-65957 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the Core-Bot, an open-source Discord bot developed by Intercore-Productions and used notably in Maple Hospital servers. The issue arises because, prior to commit dffe050, the bot's handling of API keys such as SUPABASE_API_KEY and TOKEN relied on environment variables, which is a standard practice. However, certain code paths—specifically in error handling routines, summary generation, and webhook message construction—failed to properly redact or mask these sensitive credentials when generating logs or summary embeds. This flaw could inadvertently expose API keys to unauthorized users who have access to these logs or webhook outputs, potentially allowing them to hijack the bot or access connected backend services. The vulnerability has a CVSS 4.0 score of 8.8, indicating high severity, with attack vector being network-based but requiring high attack complexity and partial privileges with user interaction. The scope and impact on confidentiality, integrity, and availability are all high, as leaked credentials can lead to unauthorized access and manipulation of bot functions and data. The issue was patched in commit dffe050, which introduced proper redaction of sensitive information in all relevant outputs. There are no known exploits in the wild as of the publication date, but the risk remains significant for deployments running vulnerable versions. The vulnerability is particularly relevant for organizations relying on Core-Bot for critical Discord server management and integration with backend services via API keys.

For European organizations, the exposure of API keys through Core-Bot logs or webhook messages can lead to unauthorized access to backend services such as databases or cloud platforms integrated via SUPABASE_API_KEY or similar tokens. This can result in data breaches, unauthorized data modification, or service disruption. Given the bot’s role in managing Discord servers, attackers could manipulate bot commands, disrupt communications, or escalate privileges within the server environment. Healthcare-related organizations, such as those using Maple Hospital servers, face heightened risks due to the sensitivity of patient data and regulatory requirements under GDPR. The compromise of API keys could also facilitate lateral movement within networks if the bot is integrated with other internal systems. Additionally, the public nature of Discord servers means that attackers might exploit exposed information quickly if logs or summaries are accessible to a broad audience. The high CVSS score reflects the potential for significant confidentiality and integrity damage, which could lead to reputational harm, regulatory penalties, and operational downtime.

1. Immediately update Core-Bot to the version including commit dffe050 or later to ensure all sensitive information is properly redacted in logs, summaries, and webhook messages. 2. Conduct a thorough audit of existing logs, summaries, and webhook outputs for any previously exposed API keys or sensitive data and revoke or rotate any compromised credentials. 3. Implement strict access controls on Discord server logs and webhook endpoints to limit visibility to trusted administrators only. 4. Restrict the bot’s permissions to the minimum necessary to reduce the impact of potential compromise. 5. Monitor bot activity and server logs for unusual behavior indicative of credential misuse or unauthorized access. 6. Educate development and operations teams on secure handling of environment variables and sensitive data to prevent similar issues in future code. 7. Consider implementing automated scanning tools that detect sensitive data exposure in logs and code repositories. 8. If possible, use short-lived or scoped API tokens to limit the damage if keys are exposed. 9. Engage in regular security reviews and penetration testing focused on bot integrations and third-party components.