8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-52587

GHSA ID

GHSA-g85v-wf27-67xc

EPSS Score

0.64864%

CWE

CWE-78

Published

11/18/2024

Updated

11/19/2024

KEV Status

Technology

GitHub Actions

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52587

CVE-2024-52587: Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary

Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time.

Details

setup.ts:169 1 performs execSync with a command that gets invoked after interpretation by the shell. This command includes an interpolated process.env.USER variable, which an attacker could modify (without actually creating a new user) to inject arbitrary shell expressions into this execSync. This may or may not be likely in practice, but I believe the hygienic way to perform the underlying operation is to use execFileSync or similar and bypass the underlying shell evaluation.
setup.ts:229 2 has a nearly identical execSync to (1) above, but with $USER for shell-level interpolation rather than string interpolation. However, this is still injectable and would be best replaced by an execFileSync, per above.
arc-runner:40-44 3 has an execSync with multiple string interpolations. Most of these do not appear immediately injectible (since they appear to come from presumed trusted API responses), but the expansion of getRunnerTempDir() may be injectable due to its dependence on potentially attacker-controllable environment variables (e.g. RUNNER_TEMP). The underlying operation appears to be a trivial file copy, so this entire subprocess should in theory be replaceable with ordinary NodeJS fs API calls instead.
arc-runner:53 4 demonstrates the same weakness, and has the same resolution as (3).
arc-runner:57 demonstrates the same weakness as (3) and (4), and has the same resolution.
arc-runner:61 demonstrates the same weakness as (3), (4), and (5), and has the same resolution.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-52587

GHSA ID

GHSA-g85v-wf27-67xc

EPSS Score

0.64864%

CWE

CWE-78

Published

11/18/2024

Updated

11/19/2024

KEV Status

Technology

GitHub Actions

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
step-security/harden-runner	actions	< 2.10.2	2.10.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper use of execSync with untrusted environment variables in shell commands. In setup.ts, lines 169 and 229 directly interpolate USER into shell commands without sanitization. In arc-runner.ts, multiple functions (sendAllowedEndpoints, applyPolicy, etc.) use execSync with getRunnerTempDir(), which relies on the RUNNER_TEMP environment variable. Attackers could manipulate these variables to inject arbitrary commands. The commit diff shows these were patched by replacing execSync with safer methods like execFileSync or Node.js filesystem APIs, confirming the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry V*rsions o* st*p-s**urity/**r**n-runn*r prior to v*.**.* *ont*in multipl* *omm*n* inj**tion w**kn*ss*s vi* *nvironm*nt v*ri**l*s t**t *oul* pot*nti*lly ** *xploit** un**r sp**i*i* *on*itions. *ow*v*r, *u* to t** *urr*nt *x**ution or**r o

Reasoning

T** vuln*r**ility st*ms *rom improp*r us* o* `*x**Syn*` wit* untrust** *nvironm*nt v*ri**l*s in s**ll *omm*n*s. In `s*tup.ts`, lin*s *** *n* *** *ir**tly int*rpol*t* `US*R` into s**ll *omm*n*s wit*out s*nitiz*tion. In `*r*-runn*r.ts`, multipl* *un*ti

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-52587: Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary

Details

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI