Critical RCE Flaw (CVE-2025-54594) in React Native Bottom Tabs’ GitHub Actions Exposed Secrets
Ddos 
A critical vulnerability—CVE-2025-54594 (CVSS 9.1)—has been identified in the React Native Bottom Tabs project, exposing the repository to arbitrary code execution and secret exfiltration through a misconfigured GitHub Actions workflow.
The flaw was present in the release-canary.yml file, which improperly used the pull_request_target trigger, granting attackers the ability to inject and execute malicious code via forked pull requests — a well-known, yet often overlooked, risk in CI/CD pipelines.
React Native Bottom Tabs, a popular library providing native bottom tab navigation for React Native apps, relied on GitHub Actions workflows for automated releases. The problem stemmed from the way it handled pull requests from forks.
“The workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context,” the advisory explains.
This meant a threat actor could:
- Submit a pull request with a malicious preinstall script embedded in package.json
- Post a comment like !canary to trigger the vulnerable workflow
- Achieve remote code execution on the GitHub-hosted runner
This access enabled attackers to exfiltrate highly privileged secrets including:
- GITHUB_TOKEN
- NPM_TOKEN
With these credentials, an attacker could:
- Push malicious code to the project
- Publish compromised NPM packages
- Damage downstream projects depending on the library
The project maintainers responded swiftly:
“The vulnerability was remediated by removing the workflow file from the repository. No packages were affected.”
Although no malicious packages were published, the incident highlights a persistent and dangerous misconfiguration pattern within open-source CI pipelines.
Going forward, users are strongly advised to:
- Remove or carefully audit workflows that use pull_request_target or issue_comment
- Avoid checking out untrusted code in workflows with write-level tokens
- Immediately rotate potentially compromised secrets like GITHUB_TOKEN and NPM_TOKEN
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
