GHSA-g699-3x6g-wm3g

Suggest an improvement
Source
https://github.com/advisories/GHSA-g699-3x6g-wm3g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g699-3x6g-wm3g/GHSA-g699-3x6g-wm3g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g699-3x6g-wm3g
Aliases
Published
2026-03-17T18:37:46Z
Modified
2026-03-20T21:33:51.432672Z
Severity
  • 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)
Details

Summary

A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS queries over TCP.

Harden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When egress-policy: block is enabled with a restrictive allowed-endpoints list (e.g., only github.com:443), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like dig can explicitly initiate TCP-based DNS queries (+tcp flag) without being blocked.

This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

The Enterprise Tier of Harden-Runner is not affected by this vulnerability.

Impact

When Harden-Runner is configured with egress-policy: block and a restrictive allowed-endpoints list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the egress block policy by initiating DNS queries over TCP to external resolvers. This allows outbound network communication that evades the configured network restrictions.

This vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.16.0 or later.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process.

Database specific 
{
    "cwe_ids": [
        "CWE-693",
        "CWE-863"
    ],
    "nvd_published_at": "2026-03-20T04:16:50Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T18:37:46Z"
}
References

Affected packages

GitHub Actions / step-security/harden-runner

Package

Name
step-security/harden-runner

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0

Database specific

last_known_affected_version_range 
"<= 2.15.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g699-3x6g-wm3g/GHSA-g699-3x6g-wm3g.json"