Overview
CVE-2025-65957 identifies a vulnerability in Core Bot, an open-source Discord bot designed for Maple Hospital servers. Prior to commit dffe050, sensitive API keys, including `SUPABASE_API_KEY` and `TOKEN`, could be inadvertently exposed due to improper handling in error messages, summaries, and webhook configurations. This vulnerability has been addressed with the aforementioned commit.
Technical Details
Core Bot utilizes environment variables to store sensitive API keys. The vulnerability stemmed from the bot’s code failing to properly redact these keys when generating summaries, error messages, or interacting with webhooks. Specifically, under certain error conditions or when creating log entries, the values of the `SUPABASE_API_KEY` and `TOKEN` environment variables could be included in plain text, potentially exposing them to unauthorized individuals.
The vulnerable code sections were related to:
- Error handling routines that displayed verbose error messages.
- Summary generation features that included configuration details.
- Webhook integrations that logged activity and configuration parameters.
CVSS Analysis
CVSS Score: N/A
Severity: N/A
Explanation: While the vulnerability could lead to sensitive information disclosure, the provided information does not include a calculated CVSS score or severity rating. A CVSS score would typically be calculated based on factors such as attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. Given the potential for API key exposure, it is likely this would be rated as at least “Medium” severity if a CVSS score were available. The exact score would depend on the specifics of deployment and the scope of the exposed data.
Possible Impact
Exploitation of this vulnerability could have significant consequences:
- Unauthorized Access: Exposed API keys could allow malicious actors to access and manipulate the Supabase database associated with the Core Bot application.
- Account Compromise: Leaked Discord bot tokens could grant unauthorized control over the bot, allowing attackers to perform actions on behalf of the bot account.
- Data Breach: Access to the Supabase database could lead to a data breach, exposing sensitive information related to Maple Hospital servers and users.
- Reputational Damage: A successful attack could damage the reputation of the Core Bot developers and the Maple Hospital servers using the bot.
Mitigation or Patch Steps
The vulnerability has been patched in commit dffe050. Users of Core Bot are strongly advised to take the following steps:
- Update to the Latest Version: The most important step is to update Core Bot to the latest version that includes the patch (commit dffe050 or later).
- Rotate API Keys: As a precaution, even after updating, it’s recommended to rotate the `SUPABASE_API_KEY` and `TOKEN` to invalidate any keys that may have been previously exposed.
- Review Logs: Examine existing logs for any instances where sensitive API keys might have been exposed.
- Implement Monitoring: Implement monitoring and alerting mechanisms to detect any future attempts to access sensitive information or exploit vulnerabilities.
References
- GitHub Commit (Patch): https://github.com/Intercore-Productions/Core-Bot/commit/dffe050d565a580edfcd0242efa45da88ab31260
- GitHub Security Advisory: https://github.com/Intercore-Productions/Core-Bot/security/advisories/GHSA-42j6-x28v-38r8
