CVE-2025-32955 is a privilege chaining vulnerability affecting the step-security product 'harden-runner', a CI/CD security agent designed to function as an Endpoint Detection and Response (EDR) tool for GitHub Actions runners. The vulnerability exists in versions from 0.12.0 up to, but not including, 2.12.0. Harden-Runner includes a security policy option called 'disable-sudo' intended to prevent the GitHub Actions runner user from executing commands with elevated privileges via sudo. This is implemented by removing the runner user from the sudoers file, effectively denying sudo access. However, the runner user is also a member of the docker group, which grants it the ability to interact with the Docker daemon. This membership allows the user to launch privileged Docker containers or access the host filesystem through Docker. An attacker who has control over the runner user can exploit this to regain root privileges or restore the sudoers file, thereby bypassing the 'disable-sudo' restriction. This constitutes a privilege escalation vulnerability through improper privilege management and chaining (CWE-268 and CWE-269). The issue was identified and patched in version 2.12.0 of harden-runner. There are no known exploits in the wild at the time of publication, but the vulnerability presents a significant risk in environments where hardened CI/CD runners are used with Docker privileges enabled. The vulnerability leverages the intersection of container privileges and host system permissions, highlighting the risks of granting CI/CD runner users membership in privileged groups such as docker without additional controls.

For European organizations relying on GitHub Actions for CI/CD pipelines and deploying harden-runner versions prior to 2.12.0, this vulnerability poses a significant risk of privilege escalation. An attacker who gains access to the GitHub Actions runner user account could exploit the Docker group membership to escalate privileges to root on the host system. This could lead to full system compromise, unauthorized code execution, data exfiltration, or disruption of build and deployment processes. The impact extends to the integrity and availability of the CI/CD infrastructure, potentially affecting software supply chain security. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and critical infrastructure, could face regulatory and reputational damage if exploited. The vulnerability undermines the security controls intended to limit privilege escalation, thereby increasing the attack surface of automated build environments. Given the widespread adoption of GitHub Actions and Docker in European enterprises, the risk is material, especially where hardened-runner is deployed without timely patching. The lack of known exploits in the wild reduces immediate risk but does not preclude targeted attacks or future exploitation.

Upgrade harden-runner to version 2.12.0 or later, where the vulnerability is patched. Review and restrict membership of the GitHub Actions runner user in the docker group. Where possible, avoid granting docker group privileges to the runner user or isolate Docker daemon access using rootless Docker or socket proxying techniques. Implement strict access controls and monitoring on CI/CD runners, including logging Docker daemon interactions and detecting anomalous container launches. Use container runtime security tools to enforce least privilege and prevent privileged container execution from untrusted sources. Consider segregating CI/CD runners in isolated environments or virtual machines to limit host impact if compromised. Regularly audit sudoers and group memberships to ensure no unauthorized privilege escalations are possible. Employ multi-factor authentication and credential vaulting for GitHub Actions runner credentials to reduce risk of initial compromise. Incorporate runtime behavioral detection to identify attempts to exploit Docker daemon access for privilege escalation.