Platform
docker
Component
harden-runner
Fixed in
0.12.1
CVE-2025-32955 is a medium-severity vulnerability affecting Harden-Runner versions 0.12.0 through 2.11.9. This vulnerability allows users belonging to the Docker group to bypass the disable-sudo policy, potentially leading to root access on the GitHub Actions runner. The vulnerability is resolved in version 2.12.0, and users are strongly encouraged to upgrade.
The disable-sudo feature in Harden-Runner is designed to prevent the runner user from executing commands with elevated privileges. However, due to the runner user's membership in the Docker group, an attacker can leverage the Docker daemon to launch privileged containers or directly access the host filesystem. This effectively circumvents the intended security control, granting the attacker root access. Successful exploitation could allow an attacker to steal sensitive credentials, modify build artifacts, or compromise the entire CI/CD pipeline. The impact is particularly severe in environments where the runner executes code from untrusted sources.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests a moderate probability of exploitation (EPSS score likely medium). The vulnerability was publicly disclosed on 2025-04-21. Active campaigns targeting this vulnerability are not currently confirmed.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32955 is to upgrade Harden-Runner to version 2.12.0 or later, which addresses the sudo bypass vulnerability. If an immediate upgrade is not possible, consider restricting the Docker group's permissions to minimize the potential impact. Implement stricter container security policies, such as limiting the capabilities granted to containers and enforcing read-only access to sensitive files. Monitor Docker daemon activity for suspicious behavior. After upgrading, confirm the fix by attempting to execute sudo commands as the runner user and verifying that they are denied.
Actualice Harden-Runner a la versión 2.12.0 o superior. Esta versión corrige la vulnerabilidad que permite la evasión de la política 'disable-sudo'. La actualización asegura que la restricción de sudo se aplique correctamente, evitando el acceso no autorizado al sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32955 is a medium-severity vulnerability in Harden-Runner versions 0.12.0 through 2.11.9 that allows users in the Docker group to bypass the disable-sudo policy and potentially gain root access.
You are affected if you are using Harden-Runner versions 0.12.0 through 2.11.9 and the runner user is a member of the Docker group.
Upgrade Harden-Runner to version 2.12.0 or later to resolve the vulnerability. Consider restricting Docker group permissions as an interim measure.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a potential risk.
Refer to the Harden-Runner project's official security advisories for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.