CVE-2024-21548
📋 TL;DR
This CVE describes a prototype pollution vulnerability in the Bun JavaScript runtime. Attackers can exploit this by passing malicious objects to Bun's APIs, potentially allowing them to modify object prototypes and execute arbitrary code. This affects all applications using vulnerable versions of Bun (0.0.13 through 1.1.29).
💻 Affected Systems
- Bun JavaScript runtime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the environment.
Likely Case
Application instability, denial of service, or limited data manipulation depending on how Bun is used in the application.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially causing application crashes but no code execution.
🎯 Exploit Status
Exploitation requires crafting malicious objects that trigger the prototype pollution, but no public proof-of-concept has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.30
Vendor Advisory: https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a
Restart Required: Yes
Instructions:
1. Update Bun to version 1.1.30 or later using 'bun upgrade' command. 2. Restart all applications and services using Bun. 3. Verify the update with 'bun --version'.
🔧 Temporary Workarounds
Input validation wrapper
allImplement strict input validation for all objects passed to Bun APIs
Object.freeze on prototypes
allFreeze Object.prototype and other critical prototypes to prevent pollution
Object.freeze(Object.prototype);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-supplied objects
- Run Bun applications in isolated containers or sandboxes with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Run 'bun --version' and check if version is between 0.0.13 and 1.1.29 inclusiveCheck Version:
bun --versionVerify Fix Applied:
Run 'bun --version' and confirm version is 1.1.30 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes
- Unusual object property modifications
- Prototype modification attempts in logs
Network Indicators:
- Unusual API calls with complex nested objects
- Requests containing specially crafted JSON payloads
SIEM Query:
source="application_logs" AND ("prototype" OR "__proto__") AND "bun"