CVE-2025-30210

Name of the Vulnerable Software and Affected Versions Bruno versions prior to 1.39.1

Description The issue arises from custom tool-tip components using react-tooltip, which set content as raw HTML and inject it into the DOM on hover. This, combined with loose Content Security Policy restrictions, allows execution of any valid HTML text containing inline script when hovering over an Environment's name. The attack surface is limited to scenarios where users import collections from untrusted sources. The exploit requires user action, specifically downloading and opening a malicious collection export and hovering over the environment name.

Recommendations For versions prior to 1.39.1, update to version 1.39.1 to fix the issue. As a temporary workaround, consider avoiding the import of collections from untrusted or malicious sources, and restrict the use of custom tooltips until the update is applied.