CVE-2025-54428

{"id": "CVE-2025-54428", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-07-28T21:15:27.327", "references": [{"url": "https://github.com/musombi123/RevelaCode-Backend/commit/95005cf4bacf1b005aef9d4b8e85237c98492d83", "source": "security-advisories@github.com"}, {"url": "https://github.com/musombi123/RevelaCode-Backend/security/advisories/GHSA-m253-qvcr-cr48", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity."}, {"lang": "es", "value": "RevelaCode es un proyecto de tecnolog\u00eda religiosa basado en IA que decodifica vers\u00edculos b\u00edblicos, profec\u00edas y eventos globales en un lenguaje accesible. En versiones anteriores a la 1.0.1, una URI v\u00e1lida de MongoDB Atlas con nombre de usuario y contrase\u00f1a integrados se envi\u00f3 accidentalmente al repositorio p\u00fablico. Esto podr\u00eda permitir el acceso no autorizado a bases de datos de producci\u00f3n o de prueba, lo que podr\u00eda provocar la exfiltraci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n de datos. Esto se solucion\u00f3 en la versi\u00f3n 1.0.1. Las soluciones alternativas incluyen la rotaci\u00f3n inmediata de las credenciales del usuario de la base de datos expuesta, el uso de un gestor de secretos (como Vault, Doppler, AWS Secrets Manager, etc.) en lugar de almacenar los secretos directamente en el c\u00f3digo, o la auditor\u00eda de los registros de acceso recientes para detectar actividad sospechosa."}], "lastModified": "2025-07-29T14:14:29.590", "sourceIdentifier": "security-advisories@github.com"}