CVE-2025-8022

CVE-2025-8022 is a security vulnerability that is still awaiting full analysis and scoring.

Key facts

Description

Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument. The security responsibility for this usage pattern lies with the calling application, which must ensure the sanitization and validation of any untrusted arguments before passing them to the executed commands. Therefore, the potential for command injection is not a flaw within Bun itself; rather, it is an argument injection that is contingent on its implementation by the consuming application.

Frequently asked questions

What is CVE-2025-8022?
Rejected reason: Bun Shell does not invoke /bin/sh, or any other interpreter, for template literals created with the $ function. Each ${…} interpolation is treated as a single argument. The security responsibility for this usage pattern lies with the calling application, which must ensure the sanitization and validation of any untrusted arguments before passing them to the executed commands. Therefore, the potential for command injection is not a flaw within Bun itself; rather, it is an argument injection that is contingent on its implementation by the consuming application.
Is CVE-2025-8022 being actively exploited?
It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
How do I fix CVE-2025-8022?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-8022 have an EU (EUVD) identifier?
Yes. CVE-2025-8022 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-22414.
When was CVE-2025-8022 published?
CVE-2025-8022 was published on 2025-07-23 and last updated on 2025-08-11.