medium
6
CWE
268 269 250 272
EPSS
0.010%
Advisory Published
Advisory Published
Updated

CVE-2025-32955: Harden-Runner Evasion of 'disable-sudo' policy

First published: Mon Apr 21 2025(Updated: )

### Summary Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`. ### Impact An attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control. ### Affected Configuration • Harden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners. • This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner. ### Mitigation / Fix This vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting: • Disables sudo access, • Removes access to dockerd and containerd sockets, • Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths. ### Additional Improvements • The `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. • Harden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy. ### Credits Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Harden-Runner>=0.12.0<2.12.0
actions/step-security/harden-runner>=0.12.0<2.12.0
2.12.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-32955?

    CVE-2025-32955 has a high severity rating due to its potential to allow unauthorized privilege escalation.

  • How do I fix CVE-2025-32955?

    To fix CVE-2025-32955, upgrade Harden-Runner to version 2.12.0 or later.

  • What versions are affected by CVE-2025-32955?

    CVE-2025-32955 affects Harden-Runner versions from 0.12.0 to before 2.12.0.

  • What is the impact of CVE-2025-32955?

    The impact of CVE-2025-32955 is that it allows users to bypass the 'disable-sudo' policy, leading to elevated privileges.

  • Who is the vendor for CVE-2025-32955?

    The vendor for CVE-2025-32955 is Harden-Runner.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203