Login Sign Up

CVE-2025-47775

6.2 MEDIUM

📋 TL;DR

CVE-2025-47775 is a vulnerability in Bullfrog GitHub Action versions before 0.8.4 where using TCP breaks network traffic blocking, allowing DNS exfiltration and potential sandbox bypass. This affects GitHub workflows using vulnerable Bullfrog versions to restrict outbound traffic. Attackers could exfiltrate sensitive data from supposedly restricted workflows.

💻 Affected Systems

Products:
  • Bullfrog GitHub Action
Versions: All versions before 0.8.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects workflows using Bullfrog with TCP configuration for traffic blocking.

📦 What is this software?

Bullfrog by Bullfrogsec

View all CVEs affecting Bullfrog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox bypass allowing exfiltration of sensitive data (secrets, tokens, source code) from GitHub workflows to attacker-controlled infrastructure.

🟠

Likely Case

Data exfiltration from workflows containing sensitive information, potentially exposing credentials or proprietary code.

🟢

If Mitigated

Limited impact with proper network segmentation and additional security controls beyond Bullfrog.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to modify or influence GitHub workflow configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.4

Vendor Advisory: https://github.com/bullfrogsec/bullfrog/security/advisories/GHSA-m32f-fjw2-37v3

Restart Required: No

Instructions:

1. Update Bullfrog Action reference in GitHub workflow YAML files to v0.8.4 or later. 2. Replace any version references like 'v0.8.3' with 'v0.8.4'. 3. Commit and push changes to trigger workflows with patched version.

🔧 Temporary Workarounds

Disable TCP blocking configuration

all

Temporarily remove or disable TCP-based blocking configurations in Bullfrog until patched.

# In workflow YAML, remove or comment out TCP configuration sections

Use alternative network restrictions

all

Implement network restrictions at GitHub organization/repository level instead of relying solely on Bullfrog.

🧯 If You Can't Patch

  • Implement additional network monitoring for DNS traffic from GitHub workflows
  • Restrict workflow permissions to minimum required and audit for sensitive data exposure

🔍 How to Verify

Check if Vulnerable:

Check GitHub workflow YAML files for Bullfrog Action references with versions below 0.8.4.

Check Version:

grep -r 'bullfrog' .github/workflows/ --include='*.yml' --include='*.yaml'

Verify Fix Applied:

Confirm workflow YAML files reference Bullfrog v0.8.4 or later and test workflow execution with network restrictions.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected DNS queries from GitHub Actions runners
  • Workflow execution failures related to network blocking

Network Indicators:

  • DNS traffic to suspicious domains from GitHub IP ranges during workflow execution

SIEM Query:

source="github-actions" AND (protocol="DNS" OR query_type="A" OR query_type="AAAA")

📊 Metadata

CVE ID: CVE-2025-47775
CVSS v3 Score: 6.2 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-201
EPSS Score: 0.1% exploit probability (28.5th percentile)
Published: May 14, 2025
Last Updated: July 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47775, you might also want to check these:

CVE-2020-27127 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary code with elevated...

Same vulnerability type (CWE-201)
CVE-2020-27133 9.9

CVE-2020-27133 is a critical vulnerability in Cisco Jabber that allows attackers to execute arbitrar...

Same vulnerability type (CWE-201)
CVE-2020-26085 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary programs with elev...

Same vulnerability type (CWE-201)