Cybersecurity researchers have recently unveiled a vulnerability in the Google Cloud Platform (GCP) Cloud Run service that posed significant risks by allowing potential unauthorized access to container images and the possibility of injecting malicious code. This vulnerability, named ImageRunner, was disclosed in a report by Tenable security researcher Liv Matan, highlighting how it could let attackers exploit permissions meant for managing revisions of Cloud Run services.
The flaw allowed specific identities, which ordinarily lacked access to container registry permissions, to misuse their edit permissions on Cloud Run revisions. When deploying services through Cloud Run, container images from Google Artifact Registry or Docker Hub are fetched to enable successful execution. Specifically, those with the right permissions could manipulate a Cloud Run service and deploy a new revision that specified a private container image within the same GCP project.
If an attacker could acquire certain permissions, such as run.services.update and iam.serviceAccounts.actAs, they could alter the Cloud Run service and define any private container image from the project, potentially accessing sensitive information and executing harmful operations. This could lead to data exfiltration or even granting the attacker control over a user’s machine.
Google responded to this vulnerability on January 28, 2025, by issuing a patch that stipulates the identities creating or modifying a Cloud Run resource must have explicit permissions to access the necessary container images. The requirement for permissions, particularly for the Artifact Registry, reinforces security by ensuring only authorized users can utilize specified images during deployments.
Tenable categorized the risk associated with ImageRunner as part of a broader issue, where vulnerabilities can propagate through interconnected cloud services — a concept referred to as ‘Jenga.’ This refers to the way cloud providers build services atop one another, whereby a flaw in one service can create vulnerabilities in others reliant on it.
This disclosure coincided with previous reports of vulnerabilities in different platforms, reiterating the importance of vigilant permission management and security practices across cloud services to mitigate risks associated with privilege escalation.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.