Platform
react
Component
react-native-bottom-tabs
Fixed in
0.9.3
CVE-2025-54594 is a critical remote code execution (RCE) vulnerability affecting versions of the react-native-bottom-tabs library up to and including 0.9.2. This vulnerability arises from an improper configuration of the release-canary.yml GitHub Actions workflow, allowing untrusted code from forked pull requests to execute in a privileged context. The vulnerability is fixed in version 0.9.3.
The impact of this vulnerability is severe. An attacker can craft a malicious pull request containing a harmful preinstall script within the package.json file. By triggering the vulnerable release-canary.yml workflow through a specific comment (!canary), the attacker can execute arbitrary code within the build environment. This code execution occurs with elevated privileges, enabling attackers to potentially exfiltrate sensitive data, compromise the build pipeline, or even gain control of the underlying infrastructure. The ability to execute arbitrary code opens the door to a wide range of malicious activities, making this a high-priority vulnerability to address.
This vulnerability is actively being tracked and considered high probability due to the ease of exploitation and the potential impact. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on August 5, 2025. It's crucial to prioritize remediation efforts to prevent potential compromise.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54594 is to upgrade to version 0.9.3 or later of the react-native-bottom-tabs library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the release-canary.yml workflow in your GitHub repository. Review and audit all pull requests, especially those from external contributors, to identify and reject any malicious scripts. Implement stricter code review processes and security scanning tools to detect potential vulnerabilities before they are merged into the codebase.
Update to a version later than 0.9.2 when available. Alternatively, delete the `github/workflows/release-canary.yml` workflow from the repository. Review GitHub Actions secrets and revoke any compromised tokens.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54594 is a critical remote code execution vulnerability in react-native-bottom-tabs versions up to 0.9.2. A malicious pull request can trigger arbitrary code execution during the build process.
Yes, if you are using react-native-bottom-tabs version 0.9.2 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.3 or later to mitigate the risk.
The recommended fix is to upgrade to version 0.9.3 or later of the react-native-bottom-tabs library. Temporarily disabling the release-canary workflow is a workaround if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability is considered high probability and public proof-of-concept exploits are likely to emerge, increasing the risk.
Refer to the official react-native-bottom-tabs repository and related security advisories for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.