GHSA-4j66-8f4r-3pjx · Severity: high · Ecosystem: npm — Withdrawn Advisory: bun vulnerable to OS Command Injection
Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument. The security responsibility for this usage pattern lies with the calling application, which must ensure the sanitization and validation of any untrusted arguments before passing them to the executed commands. Therefore, the potential for command injection is not a flaw within Bun itself; rather, it is an argument injection that is contingent on its implementation by the consuming application.
Conclusion & alert: This CVE is rejected; it is not tracked as an active vulnerability. Mandatory action: Do not treat as an active exposure for patching queues—follow the CVE record status and authoritative vendor or program statements only.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-07-23 | — | 0.06% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
No CVSS data in dataset for this CVE.
GHSA-4j66-8f4r-3pjx · Severity: high · Ecosystem: npm — Withdrawn Advisory: bun vulnerable to OS Command Injection
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||
| URL | Tags |
|---|---|
| No references in dataset. | |