Liran Tal
Liran Tal
  • Jun 21, 2025

Disclosing an Insecure Practice in Bun Package Manager

Bun package manager prioritizes its own internal package allow-list over the `ignore-scripts` configuration directive in `.npmrc` files, which could lead to security risks.

Bun package manager prioritizes its own internal package allow-list over the `ignore-scripts` configuration directive in `.npmrc` files, which could lead to security risks.

I’ve previously discovered and reported a security vulnerability in the Bun JavaScript runtime (CVE-2024-21548) and this insecure practice taken by the Bun package manager is another reference from the same security research project I conducted on Bun.

Note about responsible disclosure process: The vendor did not acknowledge nor reply to any of my attempts contacting them for this vulnerability I’ve reported it to their GitHub security vulnerability disclosure program on the GitHub repo and have made numerous attempts via social, and email, to no avail. A prior vulnerability that I disclosed to them did get fixed and did receive a CVE (evidence here: https://security.snyk.io/vuln/SNYK-JS-BUN-8499549) however at the same time they didn’t acknowledge the report on their GitHub disclosure issue queue and halted communication ever since.

About the Insecure Practice of Bun Package Manager

Bun, during bun add <package> will prioritize its own internal package allow-list over the ignore-scripts configuration directive in .npmrc files, which Bun reads and respects (for other decisions).

At the time of finding this issue, all of Bun runtime versions were affected as far as I can tell. However, I originally reported this on October 18th 2024 and when I reported this to Bun it was in version 1.1.31. Since they haven’t responded to my report, I cannot confirm if this has been fixed in later versions or still applies.

Details about the security issue

This practice by Bun doesn’t allow users to systematically override dependencies’ install scripts using a central .npmrc, which could in turn, exposes them to point-in-time account take over and malicious versions published to the registry. Even if these are under a “trusted package” allow-list, past security incidents have shown that these happen (event-stream, eslint-config-eslint, eslint-scope, …)

Proof of Concept

Reproduce as follows:

  1. Set ignore-scripts=true in ~/.npmrc
  2. Install one of the allow-list packages, e.g: bun add @memlab/cli
  3. Observe and confirm that the package’s own install script executed

Note, unlike the .npmrc file misconfiguration, Bun does respect command-line flags. For example, the following behaves correctly and skips install scripts: bun add @memlab/cli --ignore-scripts.

Impact

The risk is that given such security incident of malice intent to a trusted package, if security teams want to set a first-response security measure by mandating their teams set the ignore-script policy in a .npmrc file (sometimes automated, due to the .npmrc file committed to source control).

_What kind of vulnerability is it?

A security misconfiguration

Who is impacted?

Developers, CI systems.

CVSS and CWE

CVSS: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Permissive List of Allowed Inputs (CWE-183)

Expected behavior

Bun respects the configuration directives read from .npmrc files such as ignore-scripts and prioritzes that over its own package allow-list

Bun Security Vulnerability Cve