OS Command Injection Vulnerability in bun by Snyk
CVE-2025-8022

8.7HIGH

Key Information:

Vendor: Snyk
Status: Bun
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-8022?

The bun package is susceptible to an OS Command Injection vulnerability stemming from inadequate handling of user inputs in its shell API. Attackers can exploit this flaw to inject malicious command-line arguments or shell metacharacters, resulting in unauthorized command execution on the system. Proper input validation measures are essential to mitigate such risks and protect against potential exploitation.

Affected Version(s)

bun 0

References

https://security.snyk.io/vuln/SNYK-JS-BUN-9510752

https://gist.github.com/lirantal/9780d664037f29d5277d7b2b...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
Jul 22, 2025

Credit

Liran Tal