GHSA-cpmj-h4f6-r6pq

Suggest an improvement
Source
https://github.com/advisories/GHSA-cpmj-h4f6-r6pq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-cpmj-h4f6-r6pq/GHSA-cpmj-h4f6-r6pq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cpmj-h4f6-r6pq
Aliases
Published
2026-02-09T17:19:14Z
Modified
2026-02-22T23:23:38.148656Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
Details

Summary

A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit.

Note: This vulnerability only affects audit mode. When using egress-policy: block, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)

Affected Versions

  • Harden-Runner Community Tier: All versions prior to v2.14.2
  • Harden-Runner Enterprise Tier: NOT AFFECTED

Severity

Medium - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow.

Impact

When Harden-Runner is configured in audit mode (egress-policy: audit), attackers with the ability to execute arbitrary code in a workflow can: - Send outbound network traffic without generating audit logs - Bypass network monitoring for UDP-based communications

Important: This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies).

Technical Details

The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events:

  • sendto()

  • sendmsg()

  • sendmmsg()

An attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels.

Affected Users

This vulnerability ONLY affects users of the Harden-Runner Community Tier.

The Harden-Runner Enterprise Tier is NOT vulnerable to this bypass technique.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.14.2 or later. This version includes fixes for the logging bypass vulnerability.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.

Database specific 
{
    "nvd_published_at": "2026-02-09T20:15:58Z",
    "github_reviewed_at": "2026-02-09T17:19:14Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-221",
        "CWE-778",
        "CWE-863"
    ],
    "severity": "MODERATE"
}
References

Affected packages

GitHub Actions / step-security/harden-runner

Package

Name
step-security/harden-runner

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.14.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-cpmj-h4f6-r6pq/GHSA-cpmj-h4f6-r6pq.json"