Harden-Runner DNS Over HTTPS Egress Policy Bypass Vulnerability
Vulnerability
A vulnerability in Harden-Runner versions through 2.15.1 allows bypassing egress network restrictions in the Community Tier by exploiting DNS over HTTPS (DoH). This vulnerability enables data exfiltration through permitted HTTPS endpoints, such as Google's DNS service, while evading domain-based filtering. The issue arises from encoding sensitive information, like the runner's hostname, as subdomains in DoH queries, which are then forwarded to an attacker-controlled domain. Exploitation requires existing code execution within the GitHub Actions workflow.
Impact
Bypassing the egress-policy: block restriction allows unauthorized outbound communication through DNS over HTTPS, facilitating data exfiltration from the GitHub Actions runner to an external domain controlled by an attacker. This exploitation occurs without direct connection to any blocked destination, effectively circumventing network safeguards.
Remediation
Users of the Community Tier should upgrade to Harden-Runner version 2.16.0 or later. Enterprise Tier users are not affected by this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.