Bun Install Script Vulnerability: PATH Injection Could Symlink Malicious Binary to System Path

A high-severity security vulnerability has been identified in the official Bun installer script, exposing systems to a PATH injection attack. The flaw allows an attacker who has compromised a user's PATH environment variable to trick the installer into symlinking a malicious binary to a privileged system location, granting it persistent, elevated execution privileges.

The vulnerability resides in the `sh/cli/install.sh` script (lines 114-132). The script uses `command -v bun` to locate the Bun binary but performs no validation on the resolved path before using `sudo` to create a symlink to `/usr/local/bin/bun`. If an attacker can manipulate the user's PATH—for instance, by compromising a shell configuration file like `.bashrc`—they can place a malicious executable named `bun` in a directory that appears earlier in the search path. The installer will then resolve to and symlink this malicious file, effectively hijacking all future `bun` command invocations.

This creates a significant privilege escalation risk. Once the malicious binary is linked to the system-wide `/usr/local/bin/` directory, it can be executed with elevated permissions by any process or user calling `bun`, including the installer itself. The issue underscores the critical need for installer scripts to perform strict path validation and integrity checks before performing privileged filesystem operations, especially when handling core tooling like runtime environments.