CVE-2025-54428 CRITICAL

CVE-2025-54428: RevelaCode exposes Sensitive MongoDB Atlas URI in .env (potential credential leak)

Vendor Musombi123
Product RevelaCode-Backend
Weakness CWE-522 · Insufficiently protected credentials
Published July 28, 2025
Last update July 28, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity.

Key dates

02Disclosure timeline

July 28, 2025 CVE published
July 28, 2025 Record updated