Plattform
docker
Komponente
harden-runner
Behoben in
0.12.1
CVE-2025-32955 is a medium-severity vulnerability affecting Harden-Runner versions 0.12.0 through 2.11.9. This vulnerability allows users belonging to the Docker group to bypass the disable-sudo policy, potentially leading to root access on the GitHub Actions runner. The vulnerability is resolved in version 2.12.0, and users are strongly encouraged to upgrade.
The disable-sudo feature in Harden-Runner is intended to prevent the GitHub Actions runner user from executing commands with elevated privileges. However, due to a design flaw, members of the Docker group can leverage the Docker daemon to circumvent this restriction. An attacker could exploit this vulnerability to launch privileged containers, access the host filesystem, and ultimately gain root access to the underlying system. This could lead to unauthorized code execution, data theft, and complete compromise of the CI/CD pipeline. The impact is particularly severe as it affects the security of automated build and deployment processes.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests a medium probability of exploitation (EPSS score). The vulnerability was publicly disclosed on 2025-04-21. Active campaigns targeting Harden-Runner are not currently known.
Organizations heavily reliant on GitHub Actions for CI/CD pipelines are at significant risk. Specifically, deployments utilizing older versions of Harden-Runner (0.12.0 - 2.11.9) and granting the runner user broad Docker group permissions are particularly vulnerable. Shared hosting environments where multiple users share a runner instance also face increased exposure.
• docker: Inspect Docker group membership for the runner user.
getent group docker | grep -q 'runner' && echo 'Potential Vulnerability: Runner user is in Docker group'• docker: Monitor Docker daemon logs for unusual container creation or privilege escalation attempts. • generic web: Review GitHub Actions workflows for any suspicious commands or container configurations. • linux / server: Audit Docker daemon configuration for overly permissive settings. • windows / supply-chain: (Less relevant, but check for Docker Desktop installations on runner machines and their configurations.)
disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-32955 is to upgrade Harden-Runner to version 2.12.0 or later, which addresses the sudo bypass vulnerability. If an immediate upgrade is not feasible, consider restricting access to the Docker daemon or removing the runner user from the Docker group. While not a complete solution, this can reduce the attack surface. Review and audit Docker configurations to ensure least privilege principles are enforced. After upgrading, verify the disable-sudo policy is functioning as expected by attempting to execute sudo commands as the runner user and confirming they are denied.
Actualice Harden-Runner a la versión 2.12.0 o superior. Esta versión corrige la vulnerabilidad que permite la evasión de la política 'disable-sudo'. La actualización asegura que la restricción de sudo se aplique correctamente, evitando el acceso no autorizado al sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-32955 is a medium-severity vulnerability in Harden-Runner versions 0.12.0 through 2.11.9 that allows users in the Docker group to bypass the disable-sudo policy and potentially gain root access.
You are affected if you are using Harden-Runner versions 0.12.0 through 2.11.9 and the runner user is a member of the Docker group.
Upgrade Harden-Runner to version 2.12.0 or later to resolve the vulnerability. Consider restricting Docker group permissions as an interim measure.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a potential risk.
Refer to the Harden-Runner project's official security advisories for the most up-to-date information and guidance.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Dockerfile-Datei hoch und wir sagen dir sofort, ob du betroffen bist.