CVE-2025-54594

Name of the Vulnerable Software and Affected Versions react-native-bottom-tabs versions 0.9.2 and earlier

Description The react-native-bottom-tabs library improperly used the pull request target event trigger in the github/workflows/release-canary.yml GitHub Actions workflow. This allowed untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and trigger the vulnerable workflow by posting a specific comment (!canary). This enabled arbitrary code execution, potentially leading to the exfiltration of sensitive secrets such as GITHUB TOKEN and NPM TOKEN, and the possibility of pushing malicious code to the repository or publishing compromised packages to the NPM registry. Approximately 158,500 services are estimated to be affected yearly.

Recommendations react-native-bottom-tabs versions prior to the release containing the fix for CVE-2025-54594 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.