Google Cloud recently addressed a critical vulnerability in its Cloud Run platform, named ImageRunner, which could have been exploited to expose sensitive information. This flaw, discovered by Tenable researchers, posed a significant threat to user data, potentially allowing malicious actors to gain unauthorized access to proprietary and sensitive images stored within the service.
What is ImageRunner?
The vulnerability, impacting Cloud Run—a serverless platform designed to let developers deploy containerized applications—allowed attackers with specific permissions on a user’s project to manipulate Cloud Run services. This access could have facilitated unauthorized retrieval of private container images, potentially exposing critical secrets.
The Exploit’s Potential Impact
In the worst-case scenario, an attacker could have exploited ImageRunner to extract sensitive data from a private image, leading to data exfiltration. This could result in the loss or theft of sensitive corporate or proprietary information, depending on the nature of the data stored within the affected containers.
Following the discovery, Google Cloud promptly informed Cloud Run customers in November 2024 and rolled out a security patch by January 28, 2025, to fix the issue. The update included an enhancement that ensures Cloud Run deployments now include an IAM (Identity and Access Management) check to verify that the deployer has read access to the container image. Previously, IAM permissions were only checked during the deployment of container images from other Google Cloud projects.
Technical Details and Security Enhancements
Tenable has released detailed technical information outlining the steps involved in exploiting the vulnerability. In response, Google Cloud has reassured its customers that the update has effectively addressed the ImageRunner vulnerability by strengthening IAM permissions.
This patch emphasizes the importance of strict access control and auditing within cloud environments to prevent similar security flaws from being exploited in the future. Google Cloud’s swift action underscores the platform’s commitment to safeguarding user data against evolving cybersecurity threats.
