CVE-2024-21548
- Source
- https://cve.org/CVERecord?id=CVE-2024-21548
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21548.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-21548
- Aliases
- Published
- 2024-12-18T06:15:23.360Z
- Modified
- 2026-03-14T14:54:20.009415Z
- Severity
-
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects.
Note: This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The bun package on NPM at versions 0.0.12 and below belongs to a different and older project that happened to claim the 'bun' name in the past.
- References
Affected packages
Git / github.com/oven-sh/bun
Affected versions
Other
09-07-231835-2021
build-8
bun-build-
bun-build-8
canary
not-quite-v0
bun-v0.*
bun-v0.0.0-10
bun-v0.0.0-11
bun-v0.0.0-12
bun-v0.0.0-13
bun-v0.0.0-14
bun-v0.0.0-15
bun-v0.0.0-8
bun-v0.0.0-9
bun-v0.0.15
bun-v0.0.16
bun-v0.0.17
bun-v0.0.18
bun-v0.0.19
bun-v0.0.20
bun-v0.0.21
bun-v0.0.22
bun-v0.0.23
bun-v0.0.24
bun-v0.0.25
bun-v0.0.26
bun-v0.0.27
bun-v0.0.28
bun-v0.0.29
bun-v0.0.30
bun-v0.0.31
bun-v0.0.32
bun-v0.0.34
bun-v0.0.35
bun-v0.0.36
bun-v0.0.37
bun-v0.0.38
bun-v0.0.39
bun-v0.0.40
bun-v0.0.41
bun-v0.0.42
bun-v0.0.43
bun-v0.0.44
bun-v0.0.45
bun-v0.0.46
bun-v0.0.48
bun-v0.0.49
bun-v0.0.50
bun-v0.0.51
bun-v0.0.52
bun-v0.0.53
bun-v0.0.54
bun-v0.0.55
bun-v0.0.56
bun-v0.0.57
bun-v0.0.58
bun-v0.0.59
bun-v0.0.60
bun-v0.0.61
bun-v0.0.62
bun-v0.0.63
bun-v0.0.64
bun-v0.0.65
bun-v0.0.66
bun-v0.0.68
bun-v0.0.69
bun-v0.0.70
bun-v0.0.71
bun-v0.0.72
bun-v0.0.73
bun-v0.0.74
bun-v0.0.75
bun-v0.0.76
bun-v0.0.77
bun-v0.0.78
bun-v0.0.79
bun-v0.0.80
bun-v0.0.81
bun-v0.0.82
bun-v0.0.83
bun-v0.1.0
bun-v0.1.1
bun-v0.1.10
bun-v0.1.11
bun-v0.1.12
bun-v0.1.13
bun-v0.1.2
bun-v0.1.3
bun-v0.1.4
bun-v0.1.5
bun-v0.1.6
bun-v0.1.7
bun-v0.1.8
bun-v0.1.9
bun-v0.2.0
bun-v0.2.1
bun-v0.2.2
bun-v0.3.0
bun-v0.4.0
bun-v0.5.0
bun-v0.5.1
bun-v0.5.2
bun-v0.5.3
bun-v0.5.4
bun-v0.5.5
bun-v0.5.6
bun-v0.5.7
bun-v0.5.8
bun-v0.5.9
bun-v0.6.0
bun-v0.6.1
bun-v0.6.10
bun-v0.6.11
bun-v0.6.12
bun-v0.6.13
bun-v0.6.14
bun-v0.6.2
bun-v0.6.3
bun-v0.6.4
bun-v0.6.5
bun-v0.6.6
bun-v0.6.7
bun-v0.6.8
bun-v0.6.9
bun-v0.7.0
bun-v0.7.1
bun-v0.7.2
bun-v0.7.3
bun-v0.8.0
bun-v0.8.1
bun-v1.*
bun-v1.0.0
bun-v1.0.1
bun-v1.0.10
bun-v1.0.11
bun-v1.0.12
bun-v1.0.13
bun-v1.0.14
bun-v1.0.15
bun-v1.0.16
bun-v1.0.17
bun-v1.0.18
bun-v1.0.19
bun-v1.0.2
bun-v1.0.20
bun-v1.0.21
bun-v1.0.22
bun-v1.0.23
bun-v1.0.24
bun-v1.0.25
bun-v1.0.26
bun-v1.0.27
bun-v1.0.28
bun-v1.0.29
bun-v1.0.3
bun-v1.0.30
bun-v1.0.31
bun-v1.0.32
bun-v1.0.33
bun-v1.0.34
bun-v1.0.35
bun-v1.0.36
bun-v1.0.4
bun-v1.0.5
bun-v1.0.6
bun-v1.0.7
bun-v1.0.8
bun-v1.0.9
bun-v1.1.0
bun-v1.1.1
bun-v1.1.10
bun-v1.1.11
bun-v1.1.12
bun-v1.1.13
bun-v1.1.14
bun-v1.1.15
bun-v1.1.16
bun-v1.1.17
bun-v1.1.18
bun-v1.1.19
bun-v1.1.2
bun-v1.1.20
bun-v1.1.21
bun-v1.1.22
bun-v1.1.23
bun-v1.1.24
bun-v1.1.25
bun-v1.1.26
bun-v1.1.27
bun-v1.1.28
bun-v1.1.29
bun-v1.1.3
bun-v1.1.4
bun-v1.1.5
bun-v1.1.6
bun-v1.1.7
bun-v1.1.8
bun-v1.1.9
v0.*
v0.0.0
v0.0.0-19
v0.0.0-20
v0.0.0-21
v0.1.1
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21548.json"
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2024-21548-30a07e01",
"deprecated": false,
"digest": {
"function_hash": "89849205491435689161138443938824985601",
"length": 673.0
},
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"signature_version": "v1",
"target": {
"file": "src/bun.js/bindings/bindings.cpp",
"function": "JSC__JSValue__getIfPropertyExistsImpl"
}
},
{
"signature_type": "Function",
"id": "CVE-2024-21548-9b3daf1c",
"deprecated": false,
"digest": {
"function_hash": "34594054423202090033397394988998780773",
"length": 619.0
},
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"signature_version": "v1",
"target": {
"file": "src/bun.js/bindings/bindings.cpp",
"function": "JSC__JSValue__getIfPropertyExistsImplString"
}
},
{
"signature_type": "Line",
"id": "CVE-2024-21548-bdd55e94",
"deprecated": false,
"digest": {
"line_hashes": [
"299831548300282117506864518170384924442",
"38770638857360147864139242324481664420",
"291440841439493946738890190492121022182",
"295241878461039016540367491661604766680",
"296417107321246395558955867310511259915",
"180901962104765425089946557277198244904",
"315274282887554827919454073451249179542",
"312463900061062228158235431386598091317",
"250025970537737188492310250336414453375",
"186562424146818233692479390798975026111",
"336506479990300026110332605461736573410",
"38626273558981886678260745541252344965",
"305083420600610033905773286578952530220",
"55904680115615799796954979717706992273",
"100126021974549478418696950040587259834",
"57822950380168537757189781900388661246",
"234033108047046643259210183664082422465",
"16485837597858745231214181516331991186",
"259211879949969045358187321573549020723",
"216285224184798970729613144308821010658",
"304134901221645442120425537051055709061"
],
"threshold": 0.9
},
"source": "https://github.com/oven-sh/bun/commit/a234e067a5dc7837602df3fb5489e826920cc65a",
"signature_version": "v1",
"target": {
"file": "src/bun.js/bindings/bindings.cpp"
}
}
]
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "Bun"
}
]
}
]