CVE-2025-30210 in bruno
Summary
by MITRE • 04/01/2025
Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components which internally use react-tooltip were setting the content (in this case the Environment name) as raw HTML which then gets injected into DOM on hover. This, combined with loose Content Security Policy restrictions, allowed any valid HTML text containing inline script to get executed on hovering over the respective Environment's name. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno or Postman collection export and the user hovers on the environment name. This vulnerability is fixed in 1.39.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/24/2025
The vulnerability identified as CVE-2025-30210 affects Bruno, an open source integrated development environment designed for API exploration and testing. This security flaw exists in versions prior to 1.39.1 and stems from improper handling of user-provided content within custom tooltip components that utilize the react-tooltip library. The technical implementation involves the application rendering environment names as raw HTML content directly into the DOM, creating a classic cross-site scripting vulnerability scenario. This flaw falls under CWE-79 which specifically addresses cross-site scripting vulnerabilities where untrusted data is improperly integrated into web pages without proper sanitization or encoding mechanisms.
The operational impact of this vulnerability is significant despite its limited attack surface. The exploit requires specific user interaction patterns that make it less likely to occur accidentally but still represents a genuine threat to users who import collections from untrusted sources. When a malicious user imports a specially crafted Bruno or Postman collection export, the environment names within the collection contain embedded HTML that includes inline JavaScript payloads. These payloads execute automatically when users hover over the affected environment names, creating a server-side code execution scenario. The vulnerability's exploitation is constrained by the requirement for user interaction, specifically the deliberate act of opening a malicious collection file followed by hovering over environment names, but this does not eliminate the risk entirely.
The security implications extend beyond simple code execution to encompass potential data exfiltration, session hijacking, and further compromise of the user's development environment. The loose Content Security Policy restrictions in the application's configuration allowed the execution of inline scripts without proper validation, which is a fundamental security misconfiguration that violates the principle of least privilege. This vulnerability aligns with ATT&CK technique T1211 which involves exploitation of software vulnerabilities for privilege escalation and code execution, though in this case the privilege escalation occurs through user interaction rather than system-level exploitation. The attack vector is particularly concerning because it leverages the trust users place in collection imports, making it difficult to detect and prevent through traditional security measures.
The mitigation strategy involves updating to Bruno version 1.39.1 which implements proper HTML sanitization for tooltip content and enforces stricter Content Security Policy restrictions. Organizations should also implement security awareness training for developers who regularly import collections from external sources, emphasizing the importance of verifying collection integrity before opening. Additionally, system administrators should consider implementing network-level controls to monitor and restrict access to potentially malicious collection files, though the primary defense remains the application-level fix. The vulnerability demonstrates the importance of secure coding practices, particularly in handling user-provided content, and the necessity of maintaining up-to-date security configurations. The fix addresses the root cause by ensuring that all tooltip content is properly sanitized before DOM injection, preventing malicious HTML from executing in the user's browser context.