{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-24910", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-27T22:26:26.541Z", "datePublished": "2026-01-27T22:26:26.801Z", "dateUpdated": "2026-01-28T21:19:54.515Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Bun", "vendor": "Bun", "versions": [{"lessThan": "1.3.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T22:35:33.029Z"}, "references": [{"url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}, {"url": "https://bun.com/blog/bun-v1.3.5"}, {"url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T21:19:41.436423Z", "id": "CVE-2026-24910", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:19:54.515Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24910", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T21:19:41.436423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:19:49.038Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Bun", "product": "Bun", "versions": [{"status": "affected", "version": "0", "lessThan": "1.3.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}, {"url": "https://bun.com/blog/bun-v1.3.5"}, {"url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T22:35:33.029Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24910", "state": "PUBLISHED", "dateUpdated": "2026-01-28T21:19:54.515Z", "dateReserved": "2026-01-27T22:26:26.541Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-27T22:26:26.801Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github)."}, {"lang": "es", "value": "En Bun antes de 1.3.5, la lista predeterminada de dependencias de confianza (tambi\u00e9n conocida como lista de permisos de confianza) puede ser suplantada por un paquete que no es de npm en caso de coincidencia de nombre (para archivo, enlace, git o github)."}], "id": "CVE-2026-24910", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 4.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-01-27T23:15:50.860", "references": [{"source": "cve@mitre.org", "url": "https://bun.com/blog/bun-v1.3.5"}, {"source": "cve@mitre.org", "url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"}, {"source": "cve@mitre.org", "url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:53:04.281435+00:00", "value": {"mitigation_remediation": ["Upgrade Bun to version 1.3.5 or later to eliminate the spoofing flaw.", "Restrict dependencies to explicit npm sources and avoid installing packages from non\u2011npm registries unless they are absolutely necessary.", "Audit and cleanse the trust allow list by removing unnecessary entries or replacing them with precise package names to reduce the attack surface."], "summary": {"action": "Patch ASAP", "impact": "Package Trust Spoofing Potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected product is Bun itself. All installations using versions prior to 1.3.5 are vulnerable, regardless of operating system, because the defect is in the core dependency resolver.", "description_and_impact": "The vulnerability is in Bun versions before 1.3.5. The package manager\u2019s default trust allow list can be spoofed by a non\u2011npm package that shares a name with a trusted entry. An attacker can therefore have a malicious package impersonated as a trusted npm package, allowing it to be downloaded and executed during the installation process. This undermines the integrity of the dependency chain and may result in arbitrary code execution within the environment that runs Bun.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate risk, while an EPSS score of less than 1% shows a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. A likely attack vector involves an attacker placing a malicious package with a name matching a trusted npm entry into a repository or file system that Bun resolves, thereby hijacking the dependency resolution path. Successful exploitation could lead to arbitrary code execution as the user running Bun."}}}}, "created": "2026-01-28T12:22:19.547759+00:00", "title": "Bun Trust Allow List Spoofing Allows Malicious Packages to Be Trusted", "updated": "2026-04-18T02:00:10.466456+00:00", "vendors": ["bun", "bun$PRODUCT$bun"]}