CVE-2025-32955
📋 TL;DR
CVE-2025-32955 is a privilege escalation vulnerability in Harden-Runner CI/CD security agent that allows attackers to bypass the 'disable-sudo' policy restriction. Attackers can use Docker group membership to launch privileged containers or access the host filesystem, effectively regaining root access. This affects organizations using Harden-Runner versions 0.12.0 through 2.11.0 in their GitHub Actions workflows.
💻 Affected Systems
- Harden-Runner
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub Actions runner with root access, allowing attackers to execute arbitrary commands, steal secrets, modify source code, and pivot to other systems in the CI/CD pipeline.
Likely Case
Privilege escalation from restricted runner user to root, enabling unauthorized system modifications, credential theft, and persistence in the CI/CD environment.
If Mitigated
Limited impact if Docker group access is restricted and proper container security controls are implemented alongside Harden-Runner.
🎯 Exploit Status
Exploitation requires access to the GitHub Actions runner as the runner user. The technique is well-documented and similar to known Docker privilege escalation methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12.0
Vendor Advisory: https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r
Restart Required: Yes
Instructions:
1. Update Harden-Runner to version 2.12.0 or later. 2. Restart GitHub Actions runners. 3. Verify the update by checking the version in runner logs or configuration.
🔧 Temporary Workarounds
Remove runner user from docker group
linuxRemove the GitHub Actions runner user from the docker group to prevent Docker-based privilege escalation.
sudo deluser <runner-user> docker
sudo systemctl restart docker
Implement Docker socket proxy
linuxUse Docker socket proxy to restrict Docker API access instead of direct docker group membership.
🧯 If You Can't Patch
- Remove the runner user from the docker group and implement alternative container management methods.
- Implement strict network controls and monitoring for Docker API calls from GitHub Actions runners.
🔍 How to Verify
Check if Vulnerable:
Check Harden-Runner version and verify if runner user is in docker group: 'id <runner-user>' and look for 'docker' group membership.Check Version:
Check Harden-Runner configuration or logs for version information, typically in /etc/harden-runner/ or runner logs.Verify Fix Applied:
Verify Harden-Runner version is 2.12.0 or later and test that 'disable-sudo' policy cannot be bypassed via Docker commands.📡 Detection & Monitoring
Log Indicators:
- Docker API calls from GitHub Actions runner user
- Privileged container creation by runner user
- sudoers file modification attempts
Network Indicators:
- Docker API traffic from CI/CD runners to Docker daemon
SIEM Query:
source="github-actions" AND (process="docker" OR command="docker run --privileged")