eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion.
An error was made in the project repository by placing a .env file containing a sensitive Supabase URI directly in the source code (CWE-260 — Password in Configuration File). The URI contains embedded authentication credentials (username and password) that are publicly accessible to anyone with access to the repository. An attacker can directly use these credentials to authenticate to the Supabase instance without any additional interaction with the victim.
An attacker gains full, unauthorized control over the Supabase database and user data, which may lead to data exfiltration, modification, or permanent deletion.
The exposed Supabase authentication credentials must be immediately revoked (rotated) — changing the application code without revoking the credentials does not eliminate the threat, as the repository history may still contain sensitive information. Patches available from the vendor should be applied according to references (commit bc2d2f9d23e6ae961a23e0d769e0722870b11108). It is recommended to review Git history for other exposed secrets and implement secret detection tools in the CI/CD pipeline.
eslint-ban-moment version 3.0.0 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H