CVE-2026-6636

A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulation of the argument pathname results in path traversal. It is possible to initiate the attack...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

2webp (>=0.1.4 <=0.1.5), @57block/stellar-resource-usage (>=0.0.1 <=1.2.0) +358 more potentially affected by CVE-2026-24910 via bun (>=1.0.13 <=1.3.2)

bun NPM version =1.0.13, =0.1.4, =0.0.1, =0.2.0, =0.5.0, =0.0.1, =0.0.1, =0.0.2, =0.1.0, =0.0.1, =3.260321.1, =0.260331.1, =0.260425.2 and more Source cves: CVE-2026-24910 Source advisory: SNYK:JS-BUN-15123966...

Use of Less Trusted Source

Overview Affected versions of this package are vulnerable to Use of Less Trusted Source that can circumvent the trusted dependencies list. An attacker can cause unintended dependencies to be loaded by including malicious file:, link:, git:, or github: URLs to import packages whose names also exis...

CVE-2026-24910

CVE-2026-24910 affects Bun prior to 1.3.5. The issue: the default trusted dependencies list (trust allow list) can be spoofed by a non-npm package when a name matches an existing trusted dependency, across file, link, git, or GitHub sources. Reported impacts include potential manipulation of the ...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

Bun security vulnerabilities

Bun is an open-source toolkit developed by Bun developers, designed for use with JavaScript and TypeScript applications. Versions of Bun prior to 1.3.5 contained a security vulnerability. This vulnerability stemmed from the default trusted dependency list being susceptible to being exploited by...

CVE-2025-8022

...

CVE-2025-8022

CVE-2025-8022 entry is rejected/not used and does not represent an active vulnerability.

@01ht/ht-api-helper-functions (>=1.0.0 <=1.0.2), @1amageek/tradable (>=0.1.0 <=0.9.0) +525 more potentially affected by CVE-2024-21548 via bun (>=0.0.10 <=1.1.3)

bun NPM version =0.0.10, =1.0.0, =0.1.0, =1.0.1, =0.0.1, =0.1.17, =1.0.0, =0.0.3, =1.1.21, =0.0.2, =0.1.0, =0.0.1, =1.6.0, =1.16.0 and more Source cves: CVE-2024-21548 Source advisory: OSV:GHSA-V9MX-4PQQ-H232...

Bun 安全漏洞

Bun is a Bun open source all-in-one toolkit for JavaScript and TypeScript applications. A security vulnerability exists in versions of Bun prior to 1.1.30, which stems from improper input cleanup and susceptibility to prototype contamination...

@agent_z/egg (>=1.0.0 <=1.0.2), @ccci/micro-server (>=1.0.57 <=1.0.132) +16 more potentially affected by CVE-2024-21548 via bun (>=0.0.2 <=1.1.3)

bun NPM version =0.0.2, =1.0.0, =1.0.57, =1.0.0, =0.0.0, =0.0.2, =0.0.3, =0.0.2, =0.0.3, =0.2.0, =0.0.55, =0.1.0, =0.1.1 and more Source cves: CVE-2024-21548 Source advisory: SNYK:JS-BUN-8499549...