The Sysdig Threat Research Team (TRT) has identified CVE-2025-32955, a significant vulnerability in the Harder-Runner GitHub Action that allows attackers to bypass the disable-sudo security feature, compromising CI/CD workflows. Users are encouraged to update to version v2.12.0 to mitigate this risk. Affected: GitHub Actions, CI/CD Tools
Keypoints :
- Identified vulnerability: CVE-2025-32955 in Harden-Runner GitHub Action.
- Exploitation allows bypassing of the disable-sudo security mechanism.
- Vulnerability has a CVSS v3.1 base score of 6.0.
- Harden-Runner aims to secure GitHub Action workflows by hardening job environments.
- Attacker can gain sudo access and modify configurations undetected in the CI/CD pipeline.
- Version v2.12.0 released to remediate the vulnerability on April 21, 2025.
MITRE Techniques :
- Privilege Escalation (T1068) – Bypassing the disable-sudo feature to obtain root access using Docker.
- Exploitation for Client Execution (T1203) – Executing commands within Docker containers to restore sudo privileges.
Indicator of Compromise :
- [Domain] step-security/harden-runner
- [Version] v2.12.0
Full Story: https://sysdig.com/blog/security-mechanism-bypass-in-harden-runner-github-action/