Command Injection
Description
Command injection in buns package's install function allows arbitrary OS command execution via crafted module name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in buns package's install function allows arbitrary OS command execution via crafted module name.
The buns npm package (all versions) contains a command injection vulnerability in the install(requestedModule) function at line 678 of lib/index.js. The function fails to sanitize user-supplied input, allowing an attacker to inject arbitrary OS commands.
To exploit, an attacker provides a malicious module name (e.g., "& touch JHU") to the install function. No authentication or special privileges are required; the attack vector is over the network if the function is called with attacker-controlled input. The injected commands are executed in the context of the Node.js process.
Successful exploitation results in arbitrary command execution on the host system, potentially leading to data theft, ransomware, or lateral movement.
As of the advisory publication date, no fixed version exists, and the package appears to be unmaintained. Users should avoid using this package and migrate to alternatives. The vulnerability is publicly known and has a proof-of-concept available [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bunsnpm | <= 1.1.6 | — |
Affected products
2- buns/bunsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-487w-pqcm-63hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7794ghsaADVISORY
- snyk.io/vuln/SNYK-JS-BUNS-1050389ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.