CVE-2026-24910

Medium

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a…

mitre·CWE-348·Published 2026-01-27

CVSS

5.9

EPSS

0.00

KEV

Exploits

cve.orgen

182 chars

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

NVDen

182 chars

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

En Bun antes de 1.3.5, la lista predeterminada de dependencias de confianza (también conocida como lista de permisos de confianza) puede ser suplantada por un paquete que no es de npm en caso de coincidencia de nombre (para archivo, enlace, git o github).

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	5.9	—	—	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
3.1	Secondary	NVD	5.9	1.4	4.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N