Horizon Alert
Summary of the vulnerability and why it matters
A critical vulnerability exists in Gitea's act_runner when using the Docker backend, allowing unauthorized access to host systems. This issue stems from how workflow options are processed, potentially enabling a malicious actor to gain root-level privileges on the host machine, even when privileged mode is disabled.
- Runner can be used to escape its container.
- Critical access allows host system takeover.
- Confirm relevance and exposure to internal systems.
Attack Path
How an attacker could exploit the issue
An attacker with the ability to run workflows on a Docker-backed Gitea act_runner can exploit this vulnerability. The runner incorrectly handles specific container options passed from a workflow. By crafting a malicious workflow, an attacker can cause the runner to create a job container with host namespaces and broad capabilities, allowing them to escape the container and gain root access on the host system, even if privileged mode is disabled.
- Attacker can run workflows.
- Craft malicious workflow container options.
- Escape container, gain root access.
Live Threat
Current exploitation, exposure, and threat context
A user who can run workflows on a Docker-backed Gitea act_runner could exploit this vulnerability to gain root-level access to the host system by crafting specific container options, even when the runner is configured without privileged mode. This could allow an attacker to control the underlying host.
- Host system access.
- Workflow execution with crafted options.
- Host system compromise.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability in Gitea act_runner with the Docker backend requires that an attacker first gain the ability to run a workflow. The platform team or DevOps engineers responsible for the CI/CD infrastructure should take the lead in identifying affected runners, while application owners need to confirm the criticality of the workflows executed on them. The initial practical move is to locate all Docker-backed act_runners, verify their network exposure, and identify the owning team to prioritize remediation based on risk.
- Platform and DevOps teams own the issue.
- Verify runner access and workflow criticality.
- Plan risk-based remediation actions.