GHSA-cpmj-h4f6-r6pq (CVE-2026-25598)

Details

Summary

A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit.

Note: This vulnerability only affects audit mode. When using egress-policy: block, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)

Affected Versions

Harden-Runner Community Tier: All versions prior to v2.14.2
Harden-Runner Enterprise Tier: NOT AFFECTED

Severity

Medium - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow.

Impact

When Harden-Runner is configured in audit mode (egress-policy: audit), attackers with the ability to execute arbitrary code in a workflow can:

Send outbound network traffic without generating audit logs
Bypass network monitoring for UDP-based communications

Important: This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies).

Technical Details

The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events:

sendto()
sendmsg()
sendmmsg()

An attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels.