CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-30354: Bruno ignores Safe-Mode in Asserts expressions

8.7 CVSS

Description

Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. The bug resulted in the sandbox settings to be ignored for the particular case where a single request is run/sent. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno collection. The vulnerability is fixed in 1.39.1.

Classification

CVE ID: CVE-2025-30354

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem Types

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

Affected Products

Vendor: usebruno

Product: bruno

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.14% (scored less or equal to compared to others)

EPSS Date: 2025-04-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30354
https://github.com/usebruno/bruno/security/advisories/GHSA-hffg-7v8v-79j3

Timeline