CVE-2025-8022
bun vulnerable to OS Command Injection
8.8
HIGH
CVSS 3.1
Description
All versions of the package bun are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line arguments or shell metacharacters, leading to unintended command execution.
How to fix CVE-2025-8022
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- npm/bun—no fix listed
Is CVE-2025-8022 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-8022.
Affected packages (1)
- from 0, <= 1.1.39
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |