Description
In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
Published: 2026-01-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Package Trust Spoofing Potential Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

The vulnerability is in Bun versions before 1.3.5. The package manager’s default trust allow list can be spoofed by a non‑npm package that shares a name with a trusted entry. An attacker can therefore have a malicious package impersonated as a trusted npm package, allowing it to be downloaded and executed during the installation process. This undermines the integrity of the dependency chain and may result in arbitrary code execution within the environment that runs Bun.

Affected Systems

Affected product is Bun itself. All installations using versions prior to 1.3.5 are vulnerable, regardless of operating system, because the defect is in the core dependency resolver.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk, while an EPSS score of less than 1% shows a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. A likely attack vector involves an attacker placing a malicious package with a name matching a trusted npm entry into a repository or file system that Bun resolves, thereby hijacking the dependency resolution path. Successful exploitation could lead to arbitrary code execution as the user running Bun.

Generated by OpenCVE AI on April 18, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bun to version 1.3.5 or later to eliminate the spoofing flaw.
  • Restrict dependencies to explicit npm sources and avoid installing packages from non‑npm registries unless they are absolutely necessary.
  • Audit and cleanse the trust allow list by removing unnecessary entries or replacing them with precise package names to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Bun Trust Allow List Spoofing Allows Malicious Packages to Be Trusted

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Bun
Bun bun
Vendors & Products Bun
Bun bun

Tue, 27 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Bun Bun
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-01-28T21:19:54.515Z

Reserved: 2026-01-27T22:26:26.541Z

Link: CVE-2026-24910

cve-icon Vulnrichment

Updated: 2026-01-28T21:19:49.038Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T23:15:50.860

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses