{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-10894","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2025-09-23T16:30:03.636Z","datePublished":"2025-09-24T21:20:31.242Z","dateUpdated":"2025-11-20T07:26:10.947Z"},"containers":{"cna":{"title":"Nx: nx/devkit: malicious versions of nx and plugins published to npm","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."}],"affected":[{"versions":[{"status":"affected","version":"20.12.0"},{"status":"affected","version":"21.8.0"},{"status":"affected","version":"21.7.0"},{"status":"affected","version":"20.11.0"},{"status":"affected","version":"21.6.0"},{"status":"affected","version":"20.10.0"},{"status":"affected","version":"20.9.0"},{"status":"affected","version":"21.5.0"}],"packageName":"nx","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"20.9.0"},{"status":"affected","version":"21.5.0"}],"packageName":"nx/devkit","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"3.2.0"}],"packageName":"nx/enterprise-cloud","collectionURL":"https://nx.dev/powerpack","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"21.5.0"}],"packageName":"nx/eslint","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"20.9.0"},{"status":"affected","version":"21.5.0"}],"packageName":"nx/js","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"3.2.0"}],"packageName":"nx/key","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"20.9.0"},{"status":"affected","version":"21.5.0"}],"packageName":"nx/node","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"versions":[{"status":"affected","version":"20.9.0"},{"status":"affected","version":"21.5.0"}],"packageName":"nx/workspace","collectionURL":"https://github.com/nrwl/nx","defaultStatus":"unaffected"},{"vendor":"Red Hat","product":"Multicluster Global Hub","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"multicluster-globalhub/multicluster-globalhub-grafana-rhel9","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:multicluster_globalhub"]},{"vendor":"Red Hat","product":"OpenShift Serverless","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:serverless:1"]},{"vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhacm2/acm-grafana-rhel9","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:acm:2"]},{"vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"automation-gateway","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:ansible_automation_platform:2"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2025-10894","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/supply-chain-attacks-NPM-packages"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396282","name":"RHBZ#2396282","tags":["issue-tracking","x_refsource_REDHAT"]},{"url":"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"},{"url":"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"},{"url":"https://www.wiz.io/blog/s1ngularity-supply-chain-attack"}],"datePublic":"2025-09-23T16:51:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-506","description":"Embedded Malicious Code","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-506: Embedded Malicious Code","timeline":[{"lang":"en","time":"2025-09-17T21:01:13.505Z","value":"Reported to Red Hat."},{"lang":"en","time":"2025-09-23T16:51:00.000Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2025-11-20T07:26:10.947Z"}},"adp":[{"references":[{"url":"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c","tags":["exploit"]},{"url":"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-25T13:51:05.714060Z","id":"CVE-2025-10894","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-25T13:51:09.059Z"}}]}}