Github's Ubuntu Runners Have 1,681 Packages and 9 High Severity Vulns

Posted3 months agoActive3 months ago

nathan_naveen

5 points

5 comments

bomfather.devTechstory

calmnegative

Debate

20/100

GithubSecurityUbuntuCi/cd

Key topics

Github

Security

Ubuntu

Ci/cd

The article reveals that GitHub's Ubuntu runners have numerous packages with high-severity vulnerabilities, sparking concerns about the security implications for CI/CD pipelines.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

0-1h

Avg / period

Key moments

01Story posted
Oct 13, 2025 at 11:03 AM EDT
3 months ago
Step 01
02First comment
Oct 13, 2025 at 11:10 AM EDT
7m after posting
Step 02
03Peak activity
5 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Oct 13, 2025 at 11:44 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (5 comments)

Showing 5 comments

reneberlin

3 months ago

1 reply

I get the point, it shouldn't be like that at all. But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this.

It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).

I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.

nathan_naveenAuthor

3 months ago

Thanks for your thoughts!

Yeah, that is exactly what we thought, so we are migrating our runner to our own infra.

josephcsible

3 months ago

1 reply

Are any of them actually exploitable in the context of a GitLab runner that doesn't use them? This feels like a security company looking for ways to justify their existence.

nathan_naveenAuthor

3 months ago

Hey, I'm a co-founder of Bomfather, we just stumbled upon this problem when we were building our product. Our product doesn't actually secure this, the best solution is to just run your own private runner.

nathan_naveenAuthor

3 months ago

We are a security startup and we wanted to know what goes into our build server (which happened to be GH runners). We took a deeper look in the Ubuntu-latest runners and went down the rabbit hole.

View full discussion on Hacker News

ID: 45569095Type: storyLast synced: 11/17/2025, 10:05:11 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN