CVE-2025-54594 is a critical security vulnerability affecting the react-native-bottom-tabs library, a popular React Native component for implementing native bottom tab navigation. The vulnerability arises from improper privilege management in the GitHub Actions workflow file github/workflows/release-canary.yml, specifically in versions 0.9.2 and below. This workflow improperly uses the pull_request_target event trigger, which runs workflows in the context of the base repository rather than the forked pull request. Consequently, an attacker can submit a malicious pull request from a forked repository containing a crafted preinstall script within the package.json file. By posting a specific comment (!canary), the attacker triggers the vulnerable workflow, causing the malicious code to execute with elevated privileges. This leads to arbitrary code execution within the repository's CI environment, enabling the attacker to exfiltrate sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN. These tokens provide access to repository management and NPM package publishing capabilities, respectively. Exploiting this vulnerability could allow an attacker to push malicious code directly to the repository or publish compromised versions of the react-native-bottom-tabs package to the NPM registry, potentially impacting all downstream users. Although a remediation commit has been made to remove the vulnerable workflow file, no fixed version has been officially released yet. The CVSS v3.1 base score is 9.1 (critical), reflecting the high impact on confidentiality and integrity without requiring authentication or user interaction, and with network attack vector and low attack complexity.

For European organizations, this vulnerability poses a significant risk, especially those relying on react-native-bottom-tabs in their mobile applications or development pipelines. Compromise of the repository or NPM package could lead to widespread distribution of malicious code, affecting the confidentiality and integrity of applications used by European users. Sensitive corporate data could be exfiltrated if attackers leverage stolen tokens to access private repositories or inject backdoors. Furthermore, organizations using CI/CD pipelines that integrate this library may face supply chain attacks, resulting in compromised software builds and potential regulatory non-compliance under GDPR due to data breaches. The ability to publish malicious packages to NPM also threatens the broader European developer ecosystem, potentially impacting numerous downstream projects and users.

European organizations should immediately audit their usage of react-native-bottom-tabs and identify if versions 0.9.2 or below are in use. Until an official patched version is released, organizations should consider temporarily removing or replacing this dependency. Additionally, repository administrators should review and restrict GitHub Actions workflows, avoiding the use of pull_request_target triggers with untrusted code. Implementing least privilege principles for GitHub tokens, such as using fine-grained personal access tokens with minimal scopes, can limit potential damage. Monitoring repository activity for unusual pull requests or comments triggering workflows is advised. Organizations should also rotate any exposed secrets and enforce multi-factor authentication on developer accounts. Finally, subscribing to vendor advisories and updating to a patched version promptly once available is critical.