oven-sh/bun

Scanned on Jun 20, 2026

Risk score/ 100

High risk

Summary

The Bun repository contains critical use of quantum-vulnerable cryptographic primitives including ECDH/ECDSA for TLS and SHA-1 for WebSocket handshakes. While some findings represent cipher exclusions (security best practices), the WebSocket handshake implementation relies on SHA-1 for protocol compliance, and TLS configuration uses ECDHE/ECDSA ciphersuites vulnerable to quantum attacks.

Critical

High

Medium

Low

Top findings

CriticalSHA-1
packages/bun-uws/src/WebSocketHandshake.h:130
SHA-256 or SHA3-256
Raw evidence
```
sha1(b_output, last_b);
```
CriticalDES
packages/bun-usockets/src/crypto/default_ciphers.h:15
Raw evidence
```
"!DES:"                            \
```
CriticalRC4 / ARCFOUR
packages/bun-usockets/src/crypto/default_ciphers.h:16
Raw evidence
```
"!RC4:"                            \
```
CriticalMD5
packages/bun-usockets/src/crypto/default_ciphers.h:17
SHA3-256 or SHA-256
Raw evidence
```
"!MD5:"                            \
```
CriticalSHA-1
packages/bun-uws/src/WebSocketHandshake.h:91
SHA-256 or SHA3-256
Raw evidence
```
static inline void sha1(uint32_t hash[5], uint32_t b[16]) {
```

+ 7 more findings in the full report

Scan your own repository

Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.

Start a free scan