CVE-2025-8022: bun vulnerable to OS Command Injection

July 23, 2025

All versions of the package bun are vulnerable to Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line arguments or shell metacharacters, leading to unintended command execution.

References

gist.github.com/lirantal/9780d664037f29d5277d7b2bc569d213
github.com/advisories/GHSA-4j66-8f4r-3pjx
github.com/oven-sh/bun
nvd.nist.gov/vuln/detail/CVE-2025-8022
security.snyk.io/vuln/SNYK-JS-BUN-9510752

Code Behaviors & Features

Detect and mitigate CVE-2025-8022 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →