CVE-2025-30210 – Bruno API IDE versions before 1.39.1 contain a ... (How to Fix)

📋 TL;DR

Bruno API IDE versions before 1.39.1 contain a cross-site scripting vulnerability where environment names are injected as raw HTML. This allows execution of malicious scripts when users hover over environment names in collections imported from untrusted sources. Only users who import and open malicious Bruno/Postman collections are affected.

💻 Affected Systems

Products:

Bruno API IDE

Versions: All versions prior to 1.39.1

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using collections feature with environment names; requires user interaction (hover).

📦 What is this software?

Bruno by Usebruno

View all CVEs affecting Bruno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary JavaScript execution in Bruno IDE context, potentially allowing local file access, credential theft, or system compromise depending on Bruno's permissions.

🟠

Likely Case

Limited impact since exploitation requires user to import malicious collections and hover over specific elements; most likely used for targeted attacks against developers.

🟢

If Mitigated

No impact if users only import collections from trusted sources or have updated to patched version.

🌐 Internet-Facing: LOW - Bruno is a desktop application, not typically internet-facing.

🏢 Internal Only: MEDIUM - Risk exists within development environments where users might import external collections.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to get user to import malicious collection and hover over environment name.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.39.1

Vendor Advisory: https://github.com/usebruno/bruno/security/advisories/GHSA-fqxc-cxph-9vq8

Restart Required: Yes

Instructions:

1. Open Bruno IDE
2. Go to Settings/About
3. Check for updates or manually download v1.39.1+
4. Install update and restart Bruno

🔧 Temporary Workarounds

Avoid untrusted collections

all

Only import Bruno/Postman collections from trusted sources; verify collection contents before importing.

Disable environment tooltips

all

Avoid hovering over environment names in collections if source is untrusted.

🧯 If You Can't Patch

Implement strict collection import policies - only allow verified sources
Train developers to inspect collection files before importing and avoid hovering on untrusted environment names

🔍 How to Verify

Check if Vulnerable:

Check Bruno version in Settings/About menu; if version is below 1.39.1, system is vulnerable.

Check Version:

In Bruno: Settings → About → Version

Verify Fix Applied:

Confirm version is 1.39.1 or higher in Settings/About menu.

📡 Detection & Monitoring

Log Indicators:

No specific log indicators for this client-side vulnerability

Network Indicators:

No network-based detection as exploit is local

SIEM Query:

Not applicable - client-side desktop application vulnerability

📊 Metadata

CVE ID: CVE-2025-30210

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-80

EPSS Score: 0.18% exploit probability (39.1th percentile)

Published: April 1, 2025

Last Updated: September 23, 2025

🔗 References

https://github.com/usebruno/bruno/security/advisories/GHSA-fqxc-cxph-9vq8 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30210, you might also want to check these: