security-bun

Security audit patterns for Bun runtime applications covering shell injection, SQL injection, server security, and Bun-specific vulnerabilities.

The #1 Bun Footgun: Shell Escaping vs Raw Shell

Bun's shell $ is a tagged template that escapes by default. If you bypass escaping (via raw mode), user input can become command injection.

import { $ } from "bun";

const userInput = "hello; rm -rf /";