Vulnerable npm Packages Present in GitHub Actions Runner #4070
Description
Describe the bug
We have identified multiple high and critical severity vulnerabilities reported by Prisma Cloud scans in our self-hosted GitHub Actions runner. Upon investigation, these vulnerabilities stem from npm packages bundled within the runner's environment, not from our application code. The used packages seems to be outdated versions and needs to be either upgraded to latest fixed version or they are just declared and not used at all in such case the declarations should be removed from respective package.json files.
Affected Packages
The following packages are declared in package.json files across nested submodules in the runner directory:
Package NameDeclared Version(s)CVEs Identifiedcodecov^1.0.1, ^3.8.2CVE-2020-15123, CVE-2020-7596, CVE-2020-7597minimist^1.2.5CVE-2021-44906| requirejs | ^2.1.16 | CVE-2024-38999 |
| async | ^3.2.0 | CVE-2021-43138 |
| cross-spawn | ^7.0.0, ^7.0.6 | CVE-2024-21538 |
| grunt | ^1.0.1, ^1.6.1 | CVE-2022-1537 |
| proxy | 2.1.1, 2.2.0 | CVE-2023-2968 |
| ws | ^3.3.3, ^5.2.4 | CVE-2024-37890 |
| vite | 5.2.11, 6.1.0 | CVE-2025-30208, CVE-2025-31125 |
| systeminformation | ^5.21.17 | CVE-2024-56334 |
| standard-version | ^7.0.0, ^9.5.0 | GHSA-7xcx-6wjh-7xp2 |
To Reproduce
Steps to reproduce the behavior:
- Create a self hosted runner using the action runner tarball
- Prisma scans report the above mentioned critical and high vulnerabilities against the packages given above.
Expected behavior
The used packages seems to be outdated versions and needs to be either upgraded to latest fixed version or they are just declared and not used at all in such case the declarations should be removed from respective package.json files.
Runner Version and Platform
Version of your runner? v2.328.0
OS of the machine running the runner? OSX/Windows/Linux/...
Linux
What's not working?
Attached Prisma scan report xls and npm command output for each pacakge
critical_high_vulnerabilities_report.csv
Job Log Output
If applicable, include the relevant part of the job / step log output here. All sensitive information should already be masked out, but please double-check before pasting here.
Runner and Worker's Diagnostic Logs
If applicable, add relevant diagnostic log information. Logs are located in the runner's _diag folder. The runner logs are prefixed with Runner_ and the worker logs are prefixed with Worker_. Each job run correlates to a worker log. All sensitive information should already be masked out, but please double-check before pasting here.