CVE-2026-24910
📋 TL;DR
This vulnerability allows attackers to spoof trusted dependencies in Bun by using non-npm packages with matching names, potentially leading to execution of malicious code. It affects Bun users who rely on the default trusted dependencies list. The issue enables supply chain attacks through dependency confusion.
💻 Affected Systems
- Bun
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through execution of malicious code from spoofed trusted dependencies, leading to data theft, ransomware deployment, or persistent backdoors.
Likely Case
Execution of malicious scripts or packages from untrusted sources, potentially stealing credentials, modifying files, or establishing footholds in development environments.
If Mitigated
Limited impact if strict dependency verification and security controls are in place, with only isolated development environment compromise.
🎯 Exploit Status
Exploitation requires creating malicious packages with names matching trusted dependencies. Attackers can use file, link, git, or github sources to deliver payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5
Vendor Advisory: https://bun.com/blog/bun-v1.3.5
Restart Required: No
Instructions:
Update Bun to version 1.3.5 or later using: bun upgrade
Verify installation with: bun --version
Review and update any custom trust configurations if needed.
🔧 Temporary Workarounds
Disable automatic trust
allDisable the automatic trusted dependencies feature to prevent spoofing attacks
Set environment variable: BUN_TRUSTED_DEPENDENCIES=false
Or configure in bunfig.toml: trustedDependencies = false
Use explicit trust lists
allManually specify trusted dependencies instead of relying on defaults
Configure in bunfig.toml with explicit package names
Example: trustedDependencies = ["react", "lodash"]
🧯 If You Can't Patch
- Implement strict network controls to block external package repositories
- Use isolated development environments with no internet access for dependency resolution
🔍 How to Verify
Check if Vulnerable:
Check Bun version with: bun --version. If version is below 1.3.5, system is vulnerable.Check Version:
bun --versionVerify Fix Applied:
Run: bun --version and confirm version is 1.3.5 or higher. Test with known trusted dependencies to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unusual package installations from non-standard sources
- Failed dependency validation attempts
- Packages with names matching trusted dependencies from unexpected sources
Network Indicators:
- Connections to unexpected package repositories
- Downloads from non-npm sources for trusted package names
SIEM Query:
source="bun" AND (event="install" OR event="trust") AND (source!="npm" OR package_name IN trusted_list)