{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54594", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-25T16:19:16.095Z", "datePublished": "2025-08-05T23:31:53.399Z", "dateUpdated": "2025-08-06T20:29:56.111Z"}, "containers": {"cna": {"title": "react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x"}, {"name": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c", "tags": ["x_refsource_MISC"], "url": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c"}, {"name": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31", "tags": ["x_refsource_MISC"], "url": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31"}], "affected": [{"vendor": "callstackincubator", "product": "react-native-bottom-tabs", "versions": [{"version": "<= 0.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:31:53.399Z"}, "descriptions": [{"lang": "en", "value": "react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released."}], "source": {"advisory": "GHSA-588g-38p4-gr6x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T16:14:28.420227Z", "id": "CVE-2025-54594", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T20:29:56.111Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-06T16:14:28.420227Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T16:14:29.890Z"}}], "cna": {"title": "react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration", "source": {"advisory": "GHSA-588g-38p4-gr6x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "callstackincubator", "product": "react-native-bottom-tabs", "versions": [{"status": "affected", "version": "<= 0.9.2"}]}], "references": [{"url": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x", "name": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c", "name": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c", "tags": ["x_refsource_MISC"]}, {"url": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31", "name": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:31:53.399Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54594", "state": "PUBLISHED", "dateUpdated": "2025-08-06T20:29:56.111Z", "dateReserved": "2025-07-25T16:19:16.095Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-05T23:31:53.399Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released."}, {"lang": "es", "value": "react-native-bottom-tabs es una librer\u00eda de pesta\u00f1as inferiores nativas para React Native. En las versiones 0.9.2 y anteriores, el flujo de trabajo del repositorio de GitHub Actions, github/workflows/release-canary.yml, utilizaba incorrectamente el desencadenador de eventos pull_request_target, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo no confiable de una solicitud de extracci\u00f3n bifurcada en un contexto privilegiado. Un atacante podr\u00eda crear una solicitud de extracci\u00f3n que contuviera un script de preinstalaci\u00f3n malicioso en el archivo package.json y luego activar el flujo de trabajo vulnerable publicando un comentario espec\u00edfico (!canary). Esto permit\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario, lo que conduc\u00eda a la exfiltraci\u00f3n de secretos sensibles como GITHUB_TOKEN y NPM_TOKEN, y podr\u00eda haber permitido a un atacante enviar c\u00f3digo malicioso al repositorio o publicar paquetes comprometidos en el registro de NPM. Existe un commit de remediaci\u00f3n que elimina github/workflows/release-canary.yml, pero a\u00fan no se ha publicado una versi\u00f3n con esta correcci\u00f3n."}], "id": "CVE-2025-54594", "lastModified": "2025-08-06T20:23:52.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-06T00:15:30.857", "references": [{"source": "[email protected]", "url": "https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31"}, {"source": "[email protected]", "url": "https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c"}, {"source": "[email protected]", "url": "https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-269"}], "source": "[email protected]", "type": "Primary"}]}

{}