GitHub Repo 'V-Achilles' Exposes Critical Security Flaw in eslint-plugin-flowtype Dependency

A critical security vulnerability has been flagged as reachable within the GitHub repository 'V-Achilles,' stemming from its dependency on a compromised version of the eslint-plugin-flowtype package. The vulnerability, identified as CVE-2025-13465, carries a high CVSS severity score of 7.2, indicating a significant risk of exploitation. This flaw is not merely a theoretical threat; the security scan explicitly marks it as 'reachable,' meaning the vulnerable code path is present and could be triggered within the application's runtime environment, specifically affecting the frontend components.

The issue is rooted in the `eslint-plugin-flowtype-5.3.1.tgz` library, which is listed as a dependency in multiple project configuration files, including `/baak-vizualization/package.json` and `/achilles-frontend/package.json`. The vulnerability was detected in the repository's HEAD commit, directly linking the active codebase to the exposed risk. This creates a direct attack surface for any application built from this repository, potentially compromising the security of the entire 'V-Achilles' project and any downstream deployments that rely on it.

The presence of such a high-severity, reachable flaw in a foundational development tool like a linter plugin underscores a critical oversight in dependency management. It places the project's maintainers under immediate pressure to apply the available remediation, which is to upgrade the eslint-plugin-flowtype package to a patched version. Failure to address this leaves the software supply chain vulnerable, risking potential code execution or data manipulation attacks that could stem from this specific dependency path.