CVE-2025-30354 – A sandbox bypass vulnerability in Bruno IDE all... (How to Fix)

Q: What is the severity of CVE-2025-30354?

CVE-2025-30354 has a CVSS score of 4.3 (MEDIUM). A sandbox bypass vulnerability in Bruno IDE allows malicious API collection files to execute arbitrary code when imported and run, even in Safe Mode. Only users who download and open untrusted Bruno collections are affected. The vulnerability requires user interaction and is limited to local exploitation.

📋 TL;DR

A sandbox bypass vulnerability in Bruno IDE allows malicious API collection files to execute arbitrary code when imported and run, even in Safe Mode. Only users who download and open untrusted Bruno collections are affected. The vulnerability requires user interaction and is limited to local exploitation.

💻 Affected Systems

Products:

Bruno API IDE

Versions: All versions before 1.39.1

Operating Systems: All platforms where Bruno runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when running single requests from imported collections; batch operations are not affected.

📦 What is this software?

Bruno by Usebruno

View all CVEs affecting Bruno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the user's system if a malicious collection file is imported and executed, potentially leading to full system compromise.

🟠

Likely Case

Limited local code execution within Bruno's context when users import collections from untrusted sources, potentially stealing API credentials or local data.

🟢

If Mitigated

No impact if users only use trusted collections or have updated to patched versions.

🌐 Internet-Facing: LOW - Requires user to download and execute malicious files; not remotely exploitable.

🏢 Internal Only: MEDIUM - Internal users could be tricked into importing malicious collections, but requires deliberate user action.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires creating malicious Bruno collection file and convincing user to import/run it.

Exploitation requires social engineering to get users to download and open malicious collections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.39.1

Vendor Advisory: https://github.com/usebruno/bruno/security/advisories/GHSA-hffg-7v8v-79j3

Restart Required: Yes

Instructions:

1. Open Bruno IDE. 2. Go to Settings > About. 3. Check current version. 4. If below 1.39.1, download latest version from official website. 5. Install update. 6. Restart Bruno.

🔧 Temporary Workarounds

Disable Developer Mode

all

Avoid using Developer Mode entirely to prevent assertion execution.

Restrict Collection Sources

all

Only import Bruno collections from trusted, verified sources.

🧯 If You Can't Patch

Only use Bruno collections from trusted internal sources or official repositories.
Run Bruno in isolated environments or virtual machines when testing untrusted collections.

🔍 How to Verify

Check if Vulnerable:

Open Bruno, go to Settings > About, check if version is below 1.39.1.

Check Version:

Check Bruno's About dialog or run 'bruno --version' if available via CLI.

Verify Fix Applied:

After updating, confirm version is 1.39.1 or higher in Settings > About.

📡 Detection & Monitoring

Log Indicators:

Unexpected assertion failures in Bruno logs
Execution of unfamiliar collection files

Network Indicators:

Downloads of Bruno collection files from untrusted sources

SIEM Query:

Process execution: bruno.exe with command line containing collection import from suspicious locations.

📊 Metadata

CVE ID: CVE-2025-30354

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-942

EPSS Score: 0.18% exploit probability (39.7th percentile)

Published: April 1, 2025

Last Updated: September 22, 2025

🔗 References

https://github.com/usebruno/bruno/security/advisories/GHSA-hffg-7v8v-79j3 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30354, you might also want to check these: