eslint-ban-moment Supabase URI Exposure Vulnerability Allowing Unauthorized Database Access
Vulnerability
A critical vulnerability exists in the eslint-ban-moment package, specifically in versions through 3.0.0. The issue arises from a sensitive Supabase URI, including embedded credentials, being exposed in the .env file. This leak allows an attacker to gain unauthorized access to the Supabase database and user data, potentially leading to data exfiltration, modification, or deletion.
Impact
Exploitation of this vulnerability could result in unauthorized access to the Supabase database, allowing for complete control over database and user data. This access could be used to exfiltrate, modify, or delete sensitive information.
Remediation
Users are advised to invalidate any leaked Supabase credentials, as the URI and credentials are now public. For future projects, add '.env.example' to the .gitignore file to prevent sensitive information from being committed. Consider storing secrets in GitHub's secret storage instead of in environment files.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.