Plattform
react
Komponente
react-native-bottom-tabs
Behoben in
0.9.3
CVE-2025-54594 is a critical remote code execution (RCE) vulnerability affecting versions of the react-native-bottom-tabs library up to and including 0.9.2. This vulnerability arises from an improper configuration of the release-canary.yml GitHub Actions workflow, allowing untrusted code from forked pull requests to execute in a privileged context. The vulnerability is fixed in version 0.9.3.
The primary impact of CVE-2025-54594 is arbitrary code execution. An attacker can craft a pull request containing a malicious preinstall script within the package.json file. By triggering the vulnerable release-canary.yml GitHub Actions workflow with a specific comment (!canary), the attacker can execute this script in a privileged context. This allows them to perform actions such as stealing sensitive information (API keys, credentials, source code), installing malware, or even gaining control of the build environment. The blast radius extends to any project utilizing the vulnerable react-native-bottom-tabs version and relying on the affected GitHub Actions workflow for releases.
This vulnerability is considered high probability due to the ease of exploitation and the public nature of the GitHub Actions workflow. While no public exploits have been widely reported, the vulnerability's simplicity makes it a likely target for automated scanning and exploitation. The vulnerability was publicly disclosed on 2025-08-05. It is not currently listed on CISA KEV.
React Native developers and organizations using the react-native-bottom-tabs library in their projects are at risk. This includes those relying on automated build pipelines and continuous integration/continuous delivery (CI/CD) systems, as the vulnerability can be exploited during the build process. Projects utilizing forked repositories or accepting pull requests from external contributors are particularly vulnerable.
• react: Examine your package.json files for suspicious preinstall scripts, especially in dependencies related to react-native-bottom-tabs.
grep 'preinstall' package.json• github: Review your GitHub Actions workflows (.github/workflows/release-canary.yml) for improper use of pullrequesttarget event triggers. Ensure that only trusted code is executed in privileged contexts.
• react: Check your project's dependencies for versions of react-native-bottom-tabs less than 0.9.3 using npm list react-native-bottom-tabs or yarn list react-native-bottom-tabs.
disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-54594 is to upgrade to version 0.9.3 or later, which addresses the insecure workflow configuration. If upgrading is not immediately feasible, consider temporarily disabling the release-canary.yml GitHub Actions workflow or restricting pull request access to trusted contributors. Review all GitHub Actions workflows for similar misconfigurations, particularly those using the pullrequesttarget event trigger. Implement stricter code review processes to scrutinize package.json files for malicious scripts.
Aktualisieren auf eine Version nach 0.9.2, sobald verfügbar. Alternativ `github/workflows/release-canary.yml` aus dem Repository entfernen. GitHub Actions Secrets überprüfen und alle kompromittierten Token widerrufen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-54594 is a critical remote code execution vulnerability in react-native-bottom-tabs versions up to 0.9.2. A malicious pull request can trigger arbitrary code execution during the build process.
Yes, if you are using react-native-bottom-tabs version 0.9.2 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.3 or later to mitigate the risk.
The recommended fix is to upgrade to version 0.9.3 or later of the react-native-bottom-tabs library. Temporarily disabling the release-canary workflow is a workaround if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability is considered high probability and public proof-of-concept exploits are likely to emerge, increasing the risk.
Refer to the official react-native-bottom-tabs repository and related security advisories for the most up-to-date information and guidance.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.