CVE-2026-25598
6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| step-security | harden-runner | < 2.14.2 | affected |
Weaknesses
- CWE-778: CWE-778: Insufficient Logging
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq
- https://github.com/step-security/harden-runner/releases/tag/v2.14.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.