CVE-2025-32955: Harden-Runner 'disable-sudo' Bypass Vulnerability in GitHub Actions Runners

Harden-Runner is a popular CI/CD (Continuous Integration/Continuous Deployment) security agent, designed to work as an EDR (Endpoint Detection and Response) for GitHub Actions runners. An important aspect of the security features provided by Harden-Runner is the disable-sudo policy option. This feature prevents the GitHub Actions runner user from using sudo, which is crucial for system security.

However, recent reports have divulged that versions .12. to before 2.12. of Harden-Runner are vulnerable to a disable-sudo bypass. The vulnerability allows for an attacker, who has access to the runner user, to potentially exploit the system and launch privileged containers or access the host filesystem. This could subsequently lead to regaining root access or restoring the sudoers file, rendering the restriction ineffective.

Details of the Vulnerability

When the disable-sudo policy option is enabled, it removes the runner user from the sudoers file, effectively preventing them from using sudo. However, this control can easily be circumvented as the runner user, being a part of the docker group, can interact with the Docker daemon. As a result, an attacker can manipulate the system to launch a privileged container or access the host filesystem.

Here's a code snippet demonstrating the vulnerability exploitation

# Assuming the runner user is part of the docker group
docker run -it --privileged --net=host --pid=host --user=root \
    --volume /:/host --entrypoint=chroot \
    library/debian /host

When executed, this command allows the attacker to bypass the restriction maintained by the disable-sudo policy option.

Original References

- Vulnerability disclosure: GitHub issue
- Harden-Runner Project Repository: GitHub Repository

Exploit and Patch

The vulnerability can be patched by upgrading Harden-Runner to version 2.12. or later. It is highly recommended for users who rely on the disable-sudo policy option to update their systems as soon as possible.

pip install --upgrade harden-runner==2.12.

This will update your version of Harden-Runner to 2.12., effectively patching the vulnerability and protecting your GitHub Actions runners from potential exploitation.

Conclusion

CVE-2025-32955 is a critical vulnerability affecting versions .12. to before 2.12. of Harden-Runner. It allows attackers to bypass the disable-sudo policy option by exploiting the runner user's access to the Docker daemon. This can lead to launching privileged containers and manipulating the host filesystem. Immediate action is required to patch the issue by upgrading to Harden-Runner version 2.12. or later.

Timeline

Published on: 04/21/2025 21:15:20 UTC
Last modified on: 04/23/2025 14:08:13 UTC