CVE-2025-30354

Name of the Vulnerable Software and Affected Versions Bruno versions prior to 1.39.1

Description A bug in the assertion runtime of Bruno, an open source IDE for exploring and testing APIs, caused assert expressions to run in Developer Mode even when Safe Mode was selected. This resulted in the sandbox settings being ignored when a single request was run. The attack surface is limited to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user, specifically downloading and opening an externally provided malicious Bruno collection.

Recommendations For versions prior to 1.39.1, update to version 1.39.1 to fix the issue. As a temporary workaround, consider avoiding the import of collections from untrusted or malicious sources until the update is applied. Restrict access to externally provided Bruno collections to minimize the risk of exploitation.