CVE-2025-54594 (GCVE-0-2025-54594)
Vulnerability from cvelistv5
Published
2025-08-05 23:31
Modified
2025-08-06 20:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| callstackincubator | react-native-bottom-tabs |
Version: <= 0.9.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T16:14:28.420227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:29:56.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "react-native-bottom-tabs",
"vendor": "callstackincubator",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:31:53.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x"
},
{
"name": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c"
},
{
"name": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31",
"tags": [
"x_refsource_MISC"
],
"url": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31"
}
],
"source": {
"advisory": "GHSA-588g-38p4-gr6x",
"discovery": "UNKNOWN"
},
"title": "react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54594",
"datePublished": "2025-08-05T23:31:53.399Z",
"dateReserved": "2025-07-25T16:19:16.095Z",
"dateUpdated": "2025-08-06T20:29:56.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54594\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-06T00:15:30.857\",\"lastModified\":\"2025-08-06T20:23:52.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.\"},{\"lang\":\"es\",\"value\":\"react-native-bottom-tabs es una librer\u00eda de pesta\u00f1as inferiores nativas para React Native. En las versiones 0.9.2 y anteriores, el flujo de trabajo del repositorio de GitHub Actions, github/workflows/release-canary.yml, utilizaba incorrectamente el desencadenador de eventos pull_request_target, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo no confiable de una solicitud de extracci\u00f3n bifurcada en un contexto privilegiado. Un atacante podr\u00eda crear una solicitud de extracci\u00f3n que contuviera un script de preinstalaci\u00f3n malicioso en el archivo package.json y luego activar el flujo de trabajo vulnerable publicando un comentario espec\u00edfico (!canary). Esto permit\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario, lo que conduc\u00eda a la exfiltraci\u00f3n de secretos sensibles como GITHUB_TOKEN y NPM_TOKEN, y podr\u00eda haber permitido a un atacante enviar c\u00f3digo malicioso al repositorio o publicar paquetes comprometidos en el registro de NPM. Existe un commit de remediaci\u00f3n que elimina github/workflows/release-canary.yml, pero a\u00fan no se ha publicado una versi\u00f3n con esta correcci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54594\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-06T16:14:28.420227Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-06T16:14:29.890Z\"}}], \"cna\": {\"title\": \"react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration\", \"source\": {\"advisory\": \"GHSA-588g-38p4-gr6x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"callstackincubator\", \"product\": \"react-native-bottom-tabs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.9.2\"}]}], \"references\": [{\"url\": \"https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x\", \"name\": \"https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c\", \"name\": \"https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31\", \"name\": \"https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269: Improper Privilege Management\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-05T23:31:53.399Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54594\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-06T20:29:56.111Z\", \"dateReserved\": \"2025-07-25T16:19:16.095Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-05T23:31:53.399Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…