H3-2025-0011¶

GitHub Actions Self Hosted Runner

Description¶

Self-hosted runners in GitHub Actions, especially within public repositories, present a significant security risk due to the inherent difficulty in securing them.

Impact¶

An attacker can potentially exploit vulnerabilities in a self-hosted runner to execute malicious code within the runner's environment, gaining unauthorized access to sensitive data or the host system.

References¶

• Github Documentation
• CWE-1357: Reliance on Insufficiently Trustworthy Component