Strix
26.1K

CVE-2025-8022

Unknown

Last modified

CVE-2025-8022 is a vulnerability of currently unknown severity. Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument.

Description

Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument. The security responsibility for this usage pattern lies with the calling application, which must ensure the sanitization and validation of any untrusted arguments before passing them to the executed commands. Therefore, the potential for command injection is not a flaw within Bun itself; rather, it is an argument injection that is contingent on its implementation by the consuming application.

Timeline

Published
Last Modified
Status
Rejected

Frequently Asked Questions

What is CVE-2025-8022?
Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument. The security responsibility for this usage pattern lies with the calling application, which must ensure the sanitization and validation of any untrusted arguments before passing them to the executed commands. Therefore, the potential for command injection is not a flaw within Bun itself; rather, it is an argument injection that is contingent on its implementation by the consuming application.
How severe is CVE-2025-8022?
Severity scoring for CVE-2025-8022 is pending analysis.
How do I fix CVE-2025-8022?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-8022?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST