Strix
26.1K

CVE-2025-30354

HIGHCVSS 8.7/10EPSS 0.35%

Last modified

CVE-2025-30354 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. EPSS estimates a 0.35% chance of exploitation in the next 30 days.

Description

Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. The bug resulted in the sandbox settings to be ignored for the particular case where a single request is run/sent. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno collection. The vulnerability is fixed in 1.39.1.

Metrics

CVSS 3.1
4.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS 4.0
8.7/10

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.35%

26.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
UsebrunoBruno< 1.39.1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-30354?
Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. The bug resulted in the sandbox settings to be ignored for the particular case where a single request is run/sent. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno collection. The vulnerability is fixed in 1.39.1.
How severe is CVE-2025-30354?
CVE-2025-30354 has a CVSS score of 8.7/10 (HIGH severity). The EPSS model estimates a 0.35% probability of exploitation in the next 30 days.
How do I fix CVE-2025-30354?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-30354?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST