CVE-2025-32955

April 21, 2025, 9:15 p.m.

6.0
Medium

Description

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0.

Product(s) Impacted

Vendor Product Versions
Harden-runner
  • Harden-runner
  • 0.12.0-2.11.9, <2.12.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-268
Privilege Chaining
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a harden-runner harden-runner 0.12.0-2.11.9 / / / / / / /
a harden-runner harden-runner <2.12.0 / / / / / / /

References

https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0
https://github.com/step-security/harden-runner/releases/tag/v2.12.0
https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r

Tags

security-advisories@github.com
CWE-268
2025-04-21
CVE-2025-32955

CVSS Score

6.0 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

    View Vector String

Timeline

Published: April 21, 2025, 9:15 p.m.
Last Modified: April 21, 2025, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.