CVE-2025-8022: 
JavaScript vulnerability analysis and mitigation

Versions of the package bun after 0.0.12 are vulnerable to an OS Command Injection vulnerability in the $ shell API. The vulnerability was discovered on March 23, 2025, and publicly disclosed on July 22, 2025. This security issue specifically affects the widely known and actively developed 'Bun' JavaScript runtime, not the older project that previously claimed the 'bun' name on NPM at versions 0.0.12 and below (Snyk Advisory).

The vulnerability stems from improper neutralization of user input in the $ shell API. When user input includes command-line arguments or shell metacharacters, it can lead to unintended command execution. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (HIGH) and CVSS v3.1 score of 8.8 (HIGH), indicating significant potential impact. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (Snyk Advisory).

The vulnerability allows attackers to execute arbitrary commands by manipulating command-line arguments. This can lead to significant impacts on system confidentiality, integrity, and availability. The attack can be performed over the network with low attack complexity, requiring no special privileges, though it does need partial user interaction (Snyk Advisory).

Currently, there is no fixed version available for the affected package. Users should exercise caution when handling user input that gets passed to the $ shell API and implement proper input validation and sanitization mechanisms (Snyk Advisory).