Description

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.

INFO

Published Date :

2025-08-05T23:31:53.399Z

Last Modified :

2025-08-06T20:29:56.111Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54594 vulnerability.

Vendors Products
React-native-bottom-tabs Project
  • React-native-bottom-tabs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54594.

URL Resource
https://callstack.notion.site/Post-Incident-Security-Measures-GitHub-Actions-Workflow-Vulnerability-2405d027c0f8804ab7f7cdfb43366a31 cve-icon cve-icon
https://github.com/callstackincubator/react-native-bottom-tabs/commit/9e1c9c61d742c435ac5e0901b7e0c9249b9fc70c cve-icon cve-icon
https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact