Summary
Harden-Runner secures CI/CD workflows by controlling network access and monitoring activities on GitHub-hosted and self-hosted runners. Harden-Runner community tier has been adopted by more than 6,000 open-source projects, including projects from Microsoft, CISA, Google etc. In addition, several organizations use the Harden-Runner enterprise tier.
Harden-Runner has detected the following CI/CD supply chain attacks:
With the growing adoption of Harden-Runner, we’re grateful to have a strong and engaged community contributing to its continued security and improvement. We’d like to extend our sincere thanks to @loresuso and @darryk10 for responsibly disclosing the issue covered in this post and for their collaboration in helping us investigate and mitigate the vulnerability.
We have addressed a security issue in Harden-Runner where the disable-sudo policy could be bypassed by leveraging Docker access. The issue has been assigned CVE-2025-32955. This blog post outlines the details of the issue, the mitigation through an enhanced policy, newly added detections, and a preview of the upcoming lockdown mode for defense-in-depth.
Background
Harden-Runner includes a policy option disable-sudo to prevent GitHub Actions workflows from escalating privileges by disabling sudo access for the runner user. This is implemented by removing the user from the sudoers file. The GitHub Actions workflow snippet below shows how this feature is used.
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
However, the researchers identified a bypass: if the runner user has access to the dockerd or containerd socket, they can start a privileged container, mount the host filesystem, and regain root access — effectively restoring the sudo capability or achieving privilege escalation in other ways.
CVE Details
CVE ID
CVE-2025-32955
Affected Component
Harden-Runner
Affected Configuration
• Runners configured with disable-sudo: true
• Running on GitHub-hosted runners or ephemeral VM-based self-hosted runners
• Runner user has Docker access
Not Affected
This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.
Severity
6.0 Medium
Patched version
v2.12.0
Impact
For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner.
An attacker with the ability to run a GitHub Actions job on a runner configured with disable-sudo: true could still escalate privileges to root using Docker, defeating the intended security control.
Mitigation: Move to disable-sudo-and-containers
To fully mitigate this class of bypass, we’ve introduced and recommend the disable-sudo-and-containers policy. This enhanced policy includes:
• Removal of access to Docker and containerd sockets
• Uninstallation of Docker
• Retaining the restriction on sudo access
By eliminating Docker access entirely, this policy removes the attack vector used to bypass the original disable-sudo control.
We recommend you use the disable-sudo-and-containers option in favor of disable-sudo if your GitHub Actions job does not use containers. The GitHub Actions workflow snippet below shows how to use this feature.
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo-and-containers: true
egress-policy: audit
In response to this issue, Harden-Runner now includes runtime detections that identify attempts to evade the disable-sudo restriction.
Coming Soon: Lockdown Mode
We are developing a new lockdown mode feature as part of our ongoing defense-in-depth strategy.
If Harden-Runner detects behavior indicative of compromise—such as attempts to restore sudo, or modify sensitive files—it will:
• Enter lockdown mode
• Block further job execution to minimize impact
This feature will provide an additional safety net, ensuring that even successful evasion attempts are contained before they can cause broader damage.
Conclusion
This issue highlights the evolving nature of CI/CD security threats. We’re grateful to the security researchers who responsibly disclosed this bypass.
If your workflows currently rely on disable-sudo, we recommend upgrading to disable-sudo-and-containers if your GitHub Actions workflow job does not use docker.
For questions, please reach out to support@stepsecurity.io