Cyber Resilience

CVE-2025-54594

CriticalRCE

Published: 06 August 2025

Published
06 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 57.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54594 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 42.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and SA-10 (Developer Configuration Management).

Deeper analysis

CVE-2025-54594 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting the react-native-bottom-tabs library for React Native in versions 0.9.2 and below. The issue stems from the github/workflows/release-canary.yml GitHub Actions workflow, which improperly utilizes the pull_request_target event trigger. This configuration allows untrusted code from pull requests, including those from forked repositories, to execute in a privileged context, violating GitHub's security best practices and enabling code injection (CWE-94) and improper privilege management (CWE-269).

Any attacker with a GitHub account can exploit this vulnerability by forking the repository, creating a pull request that includes a malicious preinstall script in the package.json file, and then triggering the workflow by posting a specific comment ("!canary") on the pull request. Successful exploitation grants arbitrary code execution within the workflow's privileged environment, enabling the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN. Attackers could further leverage this access to push malicious code directly to the repository or publish compromised packages to the NPM registry.

The project's security advisory (GHSA-588g-38p4-gr6x) and a post-incident report detail the remediation, which consists of a commit (9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c) that removes the vulnerable github/workflows/release-canary.yml file entirely. However, no patched version of the library has been released as of the CVE publication on 2025-08-06, leaving users reliant on avoiding the workflow trigger or monitoring for an official release. Security practitioners should audit similar workflows for pull_request_target misuse and restrict permissions where possible.

EU & UK References

Vulnerability details

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be…

more

executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability enables arbitrary code execution in privileged CI/CD workflow via pull_request_target misuse, directly facilitating injection of malicious code into releases and publication of compromised packages to NPM (software supply chain compromise).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45132Shared CWE-94
CVE-2026-29075Shared CWE-94
CVE-2026-44827Shared CWE-94
CVE-2026-22869Shared CWE-94
CVE-2026-40316Shared CWE-94
CVE-2025-27554Shared CWE-94
CVE-2026-31852Shared CWE-269
CVE-2026-33334Shared CWE-269, CWE-94
CVE-2025-13773Shared CWE-94
CVE-2025-61260Shared CWE-94

Affected Assets

React Native. In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires developers to perform configuration management during development, directly preventing insecure GitHub Actions workflow configurations like pull_request_target that enable privileged execution of untrusted code from forked PRs.

prevent

Establishes configuration change control for repository artifacts such as GitHub workflows, mitigating the introduction or persistence of vulnerable release-canary.yml configurations.

prevent

Mandates secure development processes, standards, and tools that prohibit dangerous CI/CD practices like untrusted pull_request_target triggers leading to arbitrary code execution and secret exfiltration.

References