[Vulnerability] nodejs/node: Audit Log Bypass

[github-actions]

Potential Security Vulnerability Detected

Repository: nodejs/node
Commit: bc6fc1c
Author: dependabot[bot]
Date: 2026-02-22T22:54:58Z

Commit Message

meta: bump step-security/harden-runner from 2.14.1 to 2.14.2

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.1 to 2.14.2.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/e3f713f2d8f53843e71c69a996d56f51aa9adfb9...5ef0c079ce82195b2a36a210272d6b661572d83e)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
PR-URL: https://github.com/nodejs/node/pull/61909
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Pull Request

PR: #61909 - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2
Labels: meta, author ready, dependencies, github_actions

Description:
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.1 to 2.14.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases"&gt;step-security/harden-runner's releases</a>.</em></p>
<blockquote>
<h2>v2.14.2</h2>
<h2>What's Changed</h2>
<p>Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypas...

Analysis

Vulnerability Type: Audit Log Bypass
Severity: Medium

Description

The patch fixes a medium severity vulnerability in the step-security/harden-runner where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls bypassed audit logging under the 'egress-policy: audit' mode. This allowed network operations to avoid detection, reducing the effectiveness of audit monitoring in the Community Tier.

Affected Code

uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9  # v2.14.1
with:
  egress-policy: audit  # TODO: change to 'egress-policy: block' after couple of runs

Proof of Concept

Run a workflow with step-security/harden-runner@v2.14.1 configured with 'egress-policy: audit'. Execute a container or job step that makes outbound network socket calls using sendto or sendmsg system calls (e.g., a raw UDP socket sending packets). Observe that such network actions do not generate expected audit logs, verifying that the egress audit logging is bypassed.

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-01T15:42:14.613Z