Bypass Vulnerability in Harden-Runner CI/CD Security Agent from Step Security
CVE-2025-32955

6MEDIUM

Key Information:

Vendor

Step-security

Status
Harden-runner
Vendor
CVE Published:
21 April 2025

What is CVE-2025-32955?

Harden-Runner, a CI/CD security agent designed to protect GitHub Actions runners, is vulnerable to a disable-sudo bypass attack. This vulnerability arises from the way the agent manages sudo permissions, where the runner user, despite being removed from the sudoers file, retains group membership in the Docker group. As a result, this user can manipulate the Docker daemon to launch privileged containers or access the host filesystem undetected. This capability allows an attacker to bypass the intended restrictions, potentially regaining root access. The issue has been addressed in version 2.12.0, which implements the necessary patches to prevent such exploits.

Affected Version(s)

harden-runner >= 0.12.0, < 2.12.0

References

https://github.com/step-security/harden-runner/security/a...
x_refsource_CONFIRM
https://github.com/step-security/harden-runner/commit/063...
x_refsource_MISC
https://github.com/step-security/harden-runner/releases/t...
x_refsource_MISC

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.