Node20 Externals Version needs upgrade [CVE-2025-23083, CVE-2025-2309]

Open rcarpio-hbo opened this issue 10 months ago • 1 comments

Describe the bug Security scanning of the default installation method results in:

CVE-2025-23083
CVE-2025-2309 being tripped based on the current version of Node JS 20 set in externals.

To Reproduce Steps to reproduce the behavior:

Take latest installation from releases including runtimes and externals. Example: actions-runner-linux-x64-2.322.0.tar.gz
Uncompress
Run security scan (e.g. Wiz)
Expected behavior
Clean security report

Runner Version and Platform

v2.322.0

OS of the machine running the runner? OSX/Windows/Linux/...

Linux

What's not working?

CPE vulnerabilities:
    Name: cpe:2.3:a:nodejs:node.js, Version: 20.18.0, Path: /externals/node20/bin/node
        CVE-2025-23083, Severity: HIGH, Source: https://vulncheck.com/browse/cve/CVE-2025-23083
            🩹 Fixed version: 20.18.2
        CVE-2025-23090, Severity: HIGH, Source: https://vulncheck.com/browse/cve/CVE-2025-23090
            🩹 Fixed version: 20.18.2

Vulnerable packages: CRITICAL: 0, HIGH: 1, MEDIUM: 0, LOW: 0, INFORMATIONAL: 0
    Total: 1
Vulnerabilities: CRITICAL: 0, HIGH: 2, MEDIUM: 0, LOW: 0, INFORMATIONAL: 0
    Total: 2, out of which 2 are fixable
Directories scanned: 1053, Files scanned: 4568
Scan results: PASSED. Directory meets policy requirements

Jan 29 '25 09:01 rcarpio-hbo

This issues is duplicated by https://github.com/actions/runner/issues/3681

Jan 29 '25 10:01 rcarpio-hbo