## GitHub Runner Scaler Vulnerability: Unbounded Memory Growth via ETag State Accumulation
A memory exhaustion vulnerability has been identified in the KEDA GitHub Runner scaler, stemming from the absence of cache eviction logic for the enableEtags feature. The scaler maintains persistent state maps tracking etags, previousJobs, previousWfrs, and previousRepos, using repository names and constructed URLs as map keys. Under normal operation, these entries should remain bounded. However, an attacker with control over the githubApiURL parameter can trigger catastrophic state growth.

The attack exploits the user-configurable API endpoint. An attacker can configure a ScaledObject with enableEtags set to "true" and direct githubApiURL toward a malicious server. This server responds with a constantly rotating list of unique, large repository names on each polling interval. Because the scaler accumulates these keys and values indefinitely within the long-lived operator process, memory consumption grows unbounded over time. The absence of TTL logic, pruning mechanisms, or entry limits means even modest polling frequency eventually overwhelms available system resources.

This vulnerability poses a targeted denial-of-service risk for Kubernetes clusters running GitHub Actions-based workloads via KEDA. Organizations relying on the GitHub Runner scaler should evaluate whether enableEtags is active in their ScaledObject configurations and consider disabling the feature until a patch implementing cache eviction policies is available. The recommended remediation involves implementing both entry count limits and periodic pruning of stale entries absent from recent API responses.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: keda, github-runner-scaler, memory-exhaustion, state-accumulation, cache-eviction
- **Credibility**: unverified
- **Published**: 2026-04-26 20:54:09
- **ID**: 77235
- **URL**: https://whisperx.ai/en/intel/77235