[GHSA-v9mx-4pqq-h232] Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo #5850
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates a security advisory for Bun (GHSA-v9mx-4pqq-h232) to address version range and severity scoring issues. The changes refine the vulnerability scope and update CVSS scoring.
- Updates CVSS v4 scoring by removing the /E:P suffix
- Adds npm ecosystem package range starting from version 0.0.13 instead of all versions
- Changes severity classification from MODERATE to HIGH
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" | ||
| }, | ||
| { |
There was a problem hiding this comment.
The entire CVSS_V3 section is being removed. Consider documenting the reason for removing the CVSS v3 score in the commit message or PR description to maintain audit trail for security advisory changes.
Copilot uses AI. Check for mistakes.
github-actions
bot
changed the base branch from
main
to
lirantal/advisory-improvement-5850
|
Hi @lirantal, Both advisories will be updated to reflect this lower bound to prevent confusion with the old package. However, we are unable to make the proposed changes to the Synk advisories for SNYK-JS-BUN-9510752 and SNYK-JS-BUN-8499549. The good news is that they seem to currently reflect the |
advisory-database
bot
merged commit 73ac5c3
into
lirantal/advisory-improvement-5850
|
Hi @lirantal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
The Bun vulnerabilities CVE-2025-8022 (https://security.snyk.io/vuln/SNYK-JS-BUN-9510752) and
CVE-2024-21548 https://security.snyk.io/vuln/SNYK-JS-BUN-8499549 both need to be updated to reflect a vulnerable version range of > 0.0.12 - reason is that on npm there’s a package called bun but it used to be a whole different package and not the runtime from 12 years ago 0.0.12 is where that case was the last time.