Harden-Runner Egress Policy Bypass Vulnerability via DNS over TCP
Vulnerability
A vulnerability exists in Harden-Runner versions 2.15.1 and below, specifically in the Community Tier, allowing users to bypass network restrictions imposed by the egress-policy: block. This is achieved by sending DNS queries over TCP to external resolvers, evading configured network controls. The vulnerability arises because outbound DNS traffic over TCP is not properly restricted, enabling data exfiltration even with a strict allowed-endpoints list. This issue requires existing code execution capabilities within a GitHub Actions workflow to exploit.
Impact
Exploitation of this vulnerability allows for unauthorized outbound network communication that bypasses established egress restrictions, potentially leading to data exfiltration.
Remediation
Users of the Community Tier should upgrade to Harden-Runner version 2.16.0 or later. Enterprise Tier users are not affected by this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.