DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5VJQ-5JMG-39XQ: GHSA-5VJQ-5JMG-39XQ: Remote Code Execution in Renovate via Bazel Lockfile Maintenance

#security #cve #cybersecurity #ghsa

GHSA-5VJQ-5JMG-39XQ: Remote Code Execution in Renovate via Bazel Lockfile Maintenance

Vulnerability ID: GHSA-5VJQ-5JMG-39XQ
CVSS Score: 9.8
Published: 2026-04-16

A critical Remote Code Execution (RCE) vulnerability exists in the Renovate CLI affecting the bazel-module and bazelisk managers. By providing a malicious MODULE.bazel file, an attacker can execute arbitrary commands on the runner during lockfile maintenance operations.

TL;DR

Renovate versions prior to 43.102.11 execute untrusted code when generating Bazel lockfiles. An attacker controlling a repository processed by Renovate can achieve remote code execution on the runner infrastructure.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Improper Control of Generation of Code (CWE-94) / OS Command Injection
  • Attack Vector: Malicious Repository Payload (MODULE.bazel)
  • Impact: Remote Code Execution (RCE) on automation runner
  • Affected Components: Renovate CLI (bazel-module, bazelisk)
  • Fixed Version: 43.102.11
  • Configuration Requirement: Explicit allowedUnsafeExecutions configuration

Affected Systems

  • Renovate CLI bazel-module manager
  • Renovate CLI bazelisk manager
  • Self-hosted Renovate deployments
  • Renovate CI/CD Runner environments
  • Renovate CLI: < 43.102.11 (Fixed in: 43.102.11)

Mitigation Strategies

  • Upgrade to Renovate CLI version 43.102.11 or higher.
  • Restrict allowedUnsafeExecutions in the Renovate configuration to the absolute minimum necessary for organizational operations.
  • Run CI/CD automation tools in strictly isolated, ephemeral environments with minimal IAM permissions.

Remediation Steps:

  1. Identify all deployments of self-hosted Renovate CLI runners.
  2. Deploy version 43.102.11 across the runner fleet.
  3. If Bazel lockfile updates are required, update the global configuration to include "allowedUnsafeExecutions": ["bazelModDeps"].
  4. Monitor Renovate execution logs for warnings regarding blocked Bazel executions to identify missed configurations.

References

Read the full report for GHSA-5VJQ-5JMG-39XQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)