ImageRunner: GCP Flaw Exposes Cloud Run Container Images
Cybersecurity researchers have disclosed a recently remediated vulnerability in Google Cloud Platform (GCP) that affected the Cloud Run service. This flaw allowed malicious actors to gain unauthorized access to container images and inject malicious code, exploiting specific permissions to edit service revisions without needing direct access to the container registry itself.
The vulnerability, dubbed ImageRunner, was detailed by Tenable and stemmed from the way Cloud Run handles the deployment of new service versions. Each deployment creates a new revision, and a service agent is used to fetch the container image. However, within a single account, certain identities could exist that lacked explicit registry permissions yet retained privileges to modify Cloud Run services — effectively bypassing access controls.
An attacker armed with run.services.update and iam.serviceAccounts.actAs permissions could alter a Cloud Run service configuration to point to an arbitrary private container image already present within the project. This maneuver not only exposed sensitive data housed within the containers but also opened the door to executing embedded commands designed to exfiltrate secrets or establish reverse shells to command-and-control infrastructure.
Google addressed the vulnerability on January 28, 2025. Going forward, any user or service account involved in deploying or updating a Cloud Run resource must hold explicit permissions to access container images. The company emphasized the importance of assigning the Artifact Registry Reader role (roles/artifactregistry.reader) when working with private images in registries.
Tenable categorized ImageRunner as part of a broader risk archetype they refer to as Jenga—an allusion to the delicate structure of the block-stacking game, where removing a single piece can topple the entire tower. Similarly, the interconnectedness of cloud services creates chains of dependencies wherein compromising one component can cascade into broader exposure across systems built upon it.
The research underscores how modern cloud infrastructures are becoming increasingly intricate and interdependent, giving rise to novel avenues for privilege escalation and latent threats. Securing such environments demands not only meticulous configuration management but also a comprehensive understanding of the architectural relationships between individual components.
In parallel, another recent discovery by Praetorian highlighted privilege escalation vectors within Microsoft Azure. Their findings demonstrated how virtual machines configured with administrative managed identities could be exploited to execute commands, gain access, and create or modify resources with inherited privileges — potentially leading to full subscription takeover or even elevation to Global Administrator in Entra ID.
Collectively, these cases reflect an emerging trend: adversaries are delving deeper into the nuances of cloud service implementations to uncover unconventional methods of circumventing restrictions. This necessitates a proactive stance from organizations — not just in applying security patches promptly, but in conducting continual audits of access architectures and privilege boundaries within their cloud ecosystems.