VYPR

GitHub Actions package

step-security/harden-runner

pkg:github/step-security/harden-runner

Vulnerabilities (5)

  • CVE-2026-32947Mar 20, 2026
    affected < 2.16.0fixed 2.16.0

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS (DoH) vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS

  • CVE-2026-32946Mar 20, 2026
    affected < 2.16.0fixed 2.16.0

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, the Harden-Runner that allows bypass of the egress-policy: block network restriction using DNS queries over TCP. Egress policies are enforced on GitHub runners

  • CVE-2026-25598Feb 9, 2026
    affected < 2.14.2fixed 2.14.2

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifical

  • CVE-2025-32955MedApr 21, 2025
    affected >= 0.12.0, < 2.12.0fixed 2.12.0

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sud

  • CVE-2024-52587HigNov 18, 2024
    affected < 2.10.2fixed 2.10.2

    StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially b