cvedb.io
CVE-2025-30210
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2025-04-01T15:16:05.647 · Last modified 2026-06-17T09:08:21.757

Summary

Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components which internally use react-tooltip were setting the content (in this case the Environment name) as raw HTML which then gets injected into DOM on hover. This, combined with loose Content Security Policy restrictions, allowed any valid HTML text containing inline script to get executed on hovering over the respective Environment's name. This vulnerability's attack surface is limited strictly to scenarios where users import collections from untrusted or malicious sources. The exploit requires deliberate action from the user—specifically, downloading and opening an externally provided malicious Bruno or Postman collection export and the user hovers on the environment name. This vulnerabi

Affected products

usebruno — bruno

Does this affect you?

Add your gear to cvedb and we'll alert you only when usebruno ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.