Miggo Logo
Miggo Vulnerability Database
CVE-2025-8022

CVE-2025-8022: bun vulnerable to OS Command Injection

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-8022
GHSA ID
GHSA-4j66-8f4r-3pjx
EPSS Score
0.19625%
CWE
CWE-78
Published
7/23/2025
Updated
7/23/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
bunnpm<= 1.1.39

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the $ shell API of the bun package. When a user provides input to the $ tagged template literal, the code attempts to sanitize it by escaping special characters. The process starts in shell.shellCmdFromJS, which is the entry point from JavaScript. This function iterates through the parts of the template literal and passes the dynamic, user-controlled values to shell.handleTemplateValue. For string values, handleTemplateValue calls ShellSrcBuilder.appendJSValueStr, which in turn relies on shell.needsEscapeUtf8AsciiLatin1 to determine if the string needs escaping. The vulnerability lies in the needsEscapeUtf8AsciiLatin1 function, specifically in the SPECIAL_CHARS array it uses for checking. This array is missing the hyphen character (-). As a result, if a user provides a string that starts with a hyphen, it is not identified as needing to be escaped and is concatenated directly into the command string. This allows an attacker to inject arbitrary command-line arguments, leading to OS command injection. The proof of concept demonstrates this by injecting the --upload-pack argument into a git ls-remote command.

Vulnerable functions

shell.shellCmdFromJS
src/shell/shell.zig
This function is the entry point for the `$` shell API in Bun. It processes the tagged template literal, separating the static strings from the dynamic values. It then calls `handleTemplateValue` to process the user-controlled dynamic values, which are not properly sanitized, leading to command injection.
shell.handleTemplateValue
src/shell/shell.zig
This function is responsible for handling the dynamic values passed to the `$` shell API. When it encounters a string value, it calls `appendJSValueStr` with `allow_escape` set to `true`. However, the escaping mechanism is flawed, as it doesn't account for command-line arguments starting with a hyphen `-`, which allows for argument injection.
shell.needsEscapeUtf8AsciiLatin1
src/shell/shell.zig
This function contains the core logic of the vulnerability. It checks if a string contains any special characters that need to be escaped. The `SPECIAL_CHARS` array, which is used to build the `SPECIAL_CHARS_TABLE`, does not include the hyphen character (`-`). This omission allows strings starting with a hyphen to be passed directly into the shell command, where they are interpreted as command-line arguments, leading to an OS command injection vulnerability.

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** *un *r* vuln*r**l* to Improp*r N*utr*liz*tion o* Sp**i*l *l*m*nts us** in *n OS *omm*n* ('OS *omm*n* Inj**tion') in t** $ s**ll *PI *u* to improp*r n*utr*liz*tion o* us*r input. *n *tt**k*r **n *xploit t*is *y provi*in* sp

Reasoning

T** vuln*r**ility *xists in t** `$` s**ll *PI o* t** `*un` p**k***. W**n * us*r provi**s input to t** `$` t***** t*mpl*t* lit*r*l, t** *o** *tt*mpts to s*nitiz* it *y *s**pin* sp**i*l ***r**t*rs. T** pro**ss st*rts in `s**ll.s**ll*m**romJS`, w*i** is