CVE-2024-21548
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-21548
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21548.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-21548
- Aliases
- Published
- 2024-12-18T06:15:23Z
- Modified
- 2025-10-22T18:21:35.120532Z
- Severity
-
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects.
Note: This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The bun package on NPM at versions 0.0.12 and below belongs to a different and older project that happened to claim the 'bun' name in the past.
- References
Affected packages
Git / github.com/oven-sh/bun
Affected ranges
- Type
- GIT
- Repo
- https://github.com/oven-sh/bun
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
09-07-231835-2021
build-8
bun-build-
bun-build-8
canary
not-quite-v0
bun-v0.*
bun-v0.0.0-10
bun-v0.0.0-11
bun-v0.0.0-12
bun-v0.0.0-13
bun-v0.0.0-14
bun-v0.0.0-15
bun-v0.0.0-8
bun-v0.0.0-9
bun-v0.0.15
bun-v0.0.16
bun-v0.0.17
bun-v0.0.18
bun-v0.0.19
bun-v0.0.20
bun-v0.0.21
bun-v0.0.22
bun-v0.0.23
bun-v0.0.24
bun-v0.0.25
bun-v0.0.26
bun-v0.0.27
bun-v0.0.28
bun-v0.0.29
bun-v0.0.30
bun-v0.0.31
bun-v0.0.32
bun-v0.0.34
bun-v0.0.35
bun-v0.0.36
bun-v0.0.37
bun-v0.0.38
bun-v0.0.39
bun-v0.0.40
bun-v0.0.41
bun-v0.0.42
bun-v0.0.43
bun-v0.0.44
bun-v0.0.45
bun-v0.0.46
bun-v0.0.48
bun-v0.0.49
bun-v0.0.50
bun-v0.0.51
bun-v0.0.52
bun-v0.0.53
bun-v0.0.54
bun-v0.0.55
bun-v0.0.56
bun-v0.0.57
bun-v0.0.58
bun-v0.0.59
bun-v0.0.60
bun-v0.0.61
bun-v0.0.62
bun-v0.0.63
bun-v0.0.64
bun-v0.0.65
bun-v0.0.66
bun-v0.0.68
bun-v0.0.69
bun-v0.0.70
bun-v0.0.71
bun-v0.0.72
bun-v0.0.73
bun-v0.0.74
bun-v0.0.75
bun-v0.0.76
bun-v0.0.77
bun-v0.0.78
bun-v0.0.79
bun-v0.0.80
bun-v0.0.81
bun-v0.0.82
bun-v0.0.83
bun-v0.1.0
bun-v0.1.1
bun-v0.1.10
bun-v0.1.11
bun-v0.1.12
bun-v0.1.13
bun-v0.1.2
bun-v0.1.3
bun-v0.1.4
bun-v0.1.5
bun-v0.1.6
bun-v0.1.7
bun-v0.1.8
bun-v0.1.9
bun-v0.2.0
bun-v0.2.1
bun-v0.2.2
bun-v0.3.0
bun-v0.4.0
bun-v0.5.0
bun-v0.5.1
bun-v0.5.2
bun-v0.5.3
bun-v0.5.4
bun-v0.5.5
bun-v0.5.6
bun-v0.5.7
bun-v0.5.8
bun-v0.5.9
bun-v0.6.0
bun-v0.6.1
bun-v0.6.10
bun-v0.6.11
bun-v0.6.12
bun-v0.6.13
bun-v0.6.14
bun-v0.6.2
bun-v0.6.3
bun-v0.6.4
bun-v0.6.5
bun-v0.6.6
bun-v0.6.7
bun-v0.6.8
bun-v0.6.9
bun-v0.7.0
bun-v0.7.1
bun-v0.7.2
bun-v0.7.3
bun-v0.8.0
bun-v0.8.1
bun-v1.*
bun-v1.0.0
bun-v1.0.1
bun-v1.0.10
bun-v1.0.11
bun-v1.0.12
bun-v1.0.13
bun-v1.0.14
bun-v1.0.15
bun-v1.0.16
bun-v1.0.17
bun-v1.0.18
bun-v1.0.19
bun-v1.0.2
bun-v1.0.20
bun-v1.0.21
bun-v1.0.22
bun-v1.0.23
bun-v1.0.24
bun-v1.0.25
bun-v1.0.26
bun-v1.0.27
bun-v1.0.28
bun-v1.0.29
bun-v1.0.3
bun-v1.0.30
bun-v1.0.31
bun-v1.0.32
bun-v1.0.33
bun-v1.0.34
bun-v1.0.35
bun-v1.0.36
bun-v1.0.4
bun-v1.0.5
bun-v1.0.6
bun-v1.0.7
bun-v1.0.8
bun-v1.0.9
bun-v1.1.0
bun-v1.1.1
bun-v1.1.10
bun-v1.1.11
bun-v1.1.12
bun-v1.1.13
bun-v1.1.14
bun-v1.1.15
bun-v1.1.16
bun-v1.1.17
bun-v1.1.18
bun-v1.1.19
bun-v1.1.2
bun-v1.1.20
bun-v1.1.21
bun-v1.1.22
bun-v1.1.23
bun-v1.1.24
bun-v1.1.25
bun-v1.1.26
bun-v1.1.27
bun-v1.1.28
bun-v1.1.29
bun-v1.1.3
bun-v1.1.4
bun-v1.1.5
bun-v1.1.6
bun-v1.1.7
bun-v1.1.8
bun-v1.1.9
v0.*
v0.0.0
v0.0.0-19
v0.0.0-20
v0.0.0-21
v0.1.1
Database specific
vanir_signatures
[
{
"deprecated": false,
"id": "CVE-2024-21548-30a07e01",
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"digest": {
"function_hash": "89849205491435689161138443938824985601",
"length": 673.0
},
"target": {
"function": "JSC__JSValue__getIfPropertyExistsImpl",
"file": "src/bun.js/bindings/bindings.cpp"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2024-21548-9b3daf1c",
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"digest": {
"function_hash": "34594054423202090033397394988998780773",
"length": 619.0
},
"target": {
"function": "JSC__JSValue__getIfPropertyExistsImplString",
"file": "src/bun.js/bindings/bindings.cpp"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2024-21548-bdd55e94",
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"digest": {
"threshold": 0.9,
"line_hashes": [
"299831548300282117506864518170384924442",
"38770638857360147864139242324481664420",
"291440841439493946738890190492121022182",
"295241878461039016540367491661604766680",
"296417107321246395558955867310511259915",
"180901962104765425089946557277198244904",
"315274282887554827919454073451249179542",
"312463900061062228158235431386598091317",
"250025970537737188492310250336414453375",
"186562424146818233692479390798975026111",
"336506479990300026110332605461736573410",
"38626273558981886678260745541252344965",
"305083420600610033905773286578952530220",
"55904680115615799796954979717706992273",
"100126021974549478418696950040587259834",
"57822950380168537757189781900388661246",
"234033108047046643259210183664082422465",
"16485837597858745231214181516331991186",
"259211879949969045358187321573549020723",
"216285224184798970729613144308821010658",
"304134901221645442120425537051055709061"
]
},
"target": {
"file": "src/bun.js/bindings/bindings.cpp"
},
"signature_type": "Line",
"signature_version": "v1"
}
]