A critical vulnerability has been identified in the react-native-bottom-tabs library, affecting versions 0.9.2 and below. The flaw resides within a GitHub Actions workflow, which can be manipulated by an attacker to inject malicious code into the software build process. This could lead to a supply chain attack, where applications using this library are unknowingly distributed with malicious code, potentially compromising end-user data and systems.

The vulnerability exists in the github/workflows/release-canary.yml GitHub Actions workflow. This workflow improperly handles context from pull requests, allowing for command injection. An unauthenticated attacker can craft a malicious pull request with specially formatted branch names or commit messages. When the workflow is triggered, these malicious strings are used in a script or command line environment without proper sanitization, leading to arbitrary code execution on the build runner. This compromise allows an attacker to alter the release artifacts, embedding malware or backdoors into the compiled library that is then published for developers to use.

This vulnerability is rated critical with a CVSS score of 9.1, reflecting its severe potential impact. Successful exploitation would result in a supply chain compromise, a highly effective attack vector. If your organization's applications use the vulnerable library, they could be trojanized to steal sensitive corporate or customer data, deploy ransomware, or use your infrastructure for further attacks. The consequences include significant reputational damage, loss of customer trust, regulatory fines for data breaches, and substantial financial costs associated with incident response and remediation.

Immediate Action:

• Identify all applications and systems within your environment that utilize the react-native-bottom-tabs library.
• Update the dependency to the latest patched version (above 0.9.2) in all affected projects.
• Rebuild and redeploy all applications that were built using the vulnerable library version to ensure they are free from any potential compromise.
• Review access logs for build systems and artifact repositories for any signs of unauthorized access or modification around the time of vulnerable builds.

Proactive Monitoring:

• Monitor build server logs for unusual commands, network connections to unknown endpoints, or unexpected script executions during the CI/CD process.
• Implement integrity checks and binary analysis on all third-party libraries and release artifacts to detect anomalies or malicious code.
• Monitor deployed applications for anomalous behavior, such as unexpected network traffic or high resource consumption, which could indicate a compromise.

Compensating Controls:

• If immediate patching is not feasible, temporarily disable the automated release-canary.yml workflow in your fork of the repository to prevent exploitation.
• Implement a strict Software Bill of Materials (SBOM) to maintain visibility and control over all software dependencies.
• Enforce code signing for all release artifacts and verify signatures upon deployment to ensure their integrity has not been compromised.
• Harden CI/CD pipelines by limiting permissions, requiring manual approvals for sensitive workflows, and scanning workflow configurations for vulnerabilities.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the potential for a high-impact supply chain attack, this vulnerability requires immediate attention. We strongly recommend that all teams immediately initiate the remediation plan. The highest priority is to identify all instances of the react-native-bottom-tabs library and update them to a patched version. Although this CVE is not currently on the CISA KEV list, its critical nature warrants treating it with the same level of urgency as a known exploited vulnerability. A post-remediation audit of CI/CD security practices and dependency management is also advised to prevent similar issues in the future.