The Gitea act_runner Docker backend is vulnerable to a critical container escape flaw that permits an authenticated user to achieve root-level execution on the host system.

This is a container escape vulnerability where the runner fails to properly sanitize Docker container.options. An authenticated user capable of triggering a workflow can inject host-level flags, effectively bypassing security restrictions.

A successful exploit grants an attacker full root access to the underlying runner host, which may contain sensitive CI/CD secrets, source code, and credentials. Given the CVSS score of 9.9, this vulnerability represents a critical risk of total infrastructure compromise, potentially leading to supply chain attacks or lateral movement within the production environment.

Immediate Action: Update Gitea act_runner to the latest version immediately to ensure container configuration options are properly validated.

Proactive Monitoring: Review CI/CD pipeline logs for suspicious workflow submissions or unusual container configuration strings that attempt to utilize host namespaces.

Compensating Controls: Restrict the ability to execute workflows on Docker-backed runners to trusted users only and implement strict network segmentation for all runner hosts.

Public Exploit Available: Unknown

The severity of this flaw necessitates immediate attention. Organizations utilizing Gitea act_runner must prioritize patching to prevent unauthorized host access. Failure to address this vulnerability could lead to the complete compromise of the build environment and the exposure of sensitive development assets.