CVE-2025-54594
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-06

Last updated on: 2025-08-06

Assigner: GitHub, Inc.

Description
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-06
Last Modified
2025-08-06
Generated
2026-05-07
AI Q&A
2025-08-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54594
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
callstackincubator react-native-bottom-tabs *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in react-native-bottom-tabs versions 0.9.2 and below, where a GitHub Actions workflow (release-canary.yml) improperly used the pull_request_target event trigger. This allowed an attacker to execute untrusted code from a forked pull request in a privileged context by creating a pull request with a malicious preinstall script and triggering the workflow with a specific comment. This led to arbitrary code execution and exposure of sensitive secrets like GITHUB_TOKEN and NPM_TOKEN.


How can this vulnerability impact me? :

The vulnerability can lead to arbitrary code execution within the repository's GitHub Actions environment, allowing an attacker to exfiltrate sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN. This could enable the attacker to push malicious code to the repository or publish compromised packages to the NPM registry, potentially affecting the integrity and security of your software supply chain.


What immediate steps should I take to mitigate this vulnerability?

Immediately remove or disable the github/workflows/release-canary.yml workflow from your repository to prevent execution of untrusted code via the pull_request_target event. Avoid merging pull requests from forked repositories until a fixed version of react-native-bottom-tabs is released. Review and rotate any potentially exposed secrets such as GITHUB_TOKEN and NPM_TOKEN to prevent unauthorized access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart