प्लेटफ़ॉर्म
react
घटक
react-native-bottom-tabs
में ठीक किया गया
0.9.3
CVE-2025-54594 is a critical remote code execution (RCE) vulnerability affecting versions of the react-native-bottom-tabs library up to and including 0.9.2. This vulnerability arises from an improper configuration of the release-canary.yml GitHub Actions workflow, allowing untrusted code from forked pull requests to execute in a privileged context. The vulnerability is fixed in version 0.9.3.
The impact of this vulnerability is severe. An attacker can craft a malicious pull request containing a harmful preinstall script within the package.json file. By triggering the vulnerable release-canary.yml workflow through a specific comment (!canary), the attacker can execute arbitrary code within the build environment. This code execution occurs with elevated privileges, enabling attackers to potentially exfiltrate sensitive data, compromise the build pipeline, or even gain control of the underlying infrastructure. The ability to execute arbitrary code opens the door to a wide range of malicious activities, making this a high-priority vulnerability to address.
This vulnerability is actively being tracked and considered high probability due to the ease of exploitation and the potential impact. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on August 5, 2025. It's crucial to prioritize remediation efforts to prevent potential compromise.
React Native developers and organizations using the react-native-bottom-tabs library in their projects are at risk. This includes those relying on automated build pipelines and continuous integration/continuous delivery (CI/CD) systems, as the vulnerability can be exploited during the build process. Projects utilizing forked repositories or accepting pull requests from external contributors are particularly vulnerable.
• react: Examine your package.json files for suspicious preinstall scripts, especially in dependencies related to react-native-bottom-tabs.
grep 'preinstall' package.json• github: Review your GitHub Actions workflows (.github/workflows/release-canary.yml) for improper use of pullrequesttarget event triggers. Ensure that only trusted code is executed in privileged contexts.
• react: Check your project's dependencies for versions of react-native-bottom-tabs less than 0.9.3 using npm list react-native-bottom-tabs or yarn list react-native-bottom-tabs.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.08% (23% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-54594 is to upgrade to version 0.9.3 or later of the react-native-bottom-tabs library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the release-canary.yml workflow in your GitHub repository. Review and audit all pull requests, especially those from external contributors, to identify and reject any malicious scripts. Implement stricter code review processes and security scanning tools to detect potential vulnerabilities before they are merged into the codebase.
0.9.2 से बाद के संस्करण में अपडेट करें जब उपलब्ध हो। वैकल्पिक रूप से, रिपॉजिटरी से `github/workflows/release-canary.yml` वर्कफ़्लो को हटा दें। GitHub Actions सीक्रेट्स की समीक्षा करें और किसी भी समझौता किए गए टोकन को रद्द करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-54594 is a critical remote code execution vulnerability in react-native-bottom-tabs versions up to 0.9.2. A malicious pull request can trigger arbitrary code execution during the build process.
Yes, if you are using react-native-bottom-tabs version 0.9.2 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.3 or later to mitigate the risk.
The recommended fix is to upgrade to version 0.9.3 or later of the react-native-bottom-tabs library. Temporarily disabling the release-canary workflow is a workaround if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability is considered high probability and public proof-of-concept exploits are likely to emerge, increasing the risk.
Refer to the official react-native-bottom-tabs repository and related security advisories for the most up-to-date information and guidance.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।