DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25598: The Invisible Courier: Bypassing Harden-Runner's Watchful Eye via Syscall Ninja Tactics

#security #cve #cybersecurity

The Invisible Courier: Bypassing Harden-Runner's Watchful Eye via Syscall Ninja Tactics

Vulnerability ID: CVE-2026-25598
CVSS Score: 6.3
Published: 2026-02-09

In the world of CI/CD security, visibility is everything. Step Security's Harden-Runner promises to be the all-seeing eye for GitHub Actions, monitoring outbound traffic to catch malicious dependencies dialing home. However, CVE-2026-25598 reveals a classic blind spot: the agent was obsessed with the polite handshake of the connect() syscall but completely ignored the rude interruption of sendto(), sendmsg(), and sendmmsg(). This oversight allowed attackers to exfiltrate sensitive data right under the nose of the egress-policy: audit mode without generating a single log entry.

TL;DR

Harden-Runner's audit mode failed to log network traffic sent via sendto, sendmsg, or sendmmsg syscalls. Attackers could bypass audit logs by using connectionless protocols or raw socket messaging, effectively rendering the monitoring invisible for those specific transmission methods.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-778
  • Attack Vector: Network (AV:N)
  • CVSS 4.0: 6.3 (Medium)
  • Impact: Audit Log Integrity / Data Exfiltration
  • Affected Syscalls: sendto, sendmsg, sendmmsg
  • Status: Patched

Affected Systems

  • GitHub Actions Runners (Ubuntu)
  • Harden-Runner < 2.14.2
  • harden-runner: < 2.14.2 (Fixed in: 2.14.2)

Code Analysis

Commit: 5ef0c07

Bump agent version to 0.14.3 to fix syscall audit gap

Change agent download URL from v0.14.2 to v0.14.3 and update SHA256 checksums.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Simulated: UDP sendto() bypass of audit logs

Mitigation Strategies

  • Update Harden-Runner Action to v2.14.2+
  • Switch Egress Policy from Audit to Block
  • Implement Network Layer Monitoring (VPC Flow Logs)

Remediation Steps:

  1. Scan all repositories for usage of step-security/harden-runner.
  2. Identify workflows using versions < v2.14.2.
  3. Update the uses directive to step-security/harden-runner@v2.14.2.
  4. Verify the update by checking the initialized agent version in the workflow run logs.

References

Read the full report for CVE-2026-25598 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)