CVE-2025-54594
react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
Reserved 2025-07-25 | Published 2025-08-05 | Updated 2025-08-05 | Assigner GitHub_MCWE-269: Improper Privilege Management
CWE-94: Improper Control of Generation of Code ('Code Injection')
github.com/...m-tabs/security/advisories/GHSA-588g-38p4-gr6x
github.com/...ommit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c
callstack.notion.site/...ty-2405d027c0f8804ab7f7cdfb43366a31
Support options
