CVE-2025-30154

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887	Patch
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec	Patch
https://github.com/reviewdog/reviewdog/issues/2079	Issue Tracking Vendor Advisory
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc	Vendor Advisory
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup	Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154	US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:reviewdog:action-ast-grep::::::::
	cpe:2.3:a:reviewdog:action-composite-template::::::::
	cpe:2.3:a:reviewdog:action-setup:1:::::::*
	cpe:2.3:a:reviewdog:action-shellcheck::::::::
	cpe:2.3:a:reviewdog:action-staticcheck::::::::
	cpe:2.3:a:reviewdog:action-typos::::::::

History

No history.

Information

Published : 2025-03-19 16:15

Updated : 2025-10-24 13:58

NVD link : CVE-2025-30154

Mitre link : CVE-2025-30154

CVE.ORG link : CVE-2025-30154

JSON object : View

Products Affected

reviewdog

action-composite-template
action-shellcheck
action-ast-grep
action-setup
action-staticcheck
action-typos

CWE

CWE-506

Embedded Malicious Code

NVD-CWE-Other

{"id": "CVE-2025-30154", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2025-03-19T16:15:33.780", "references": [{"url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/reviewdog/reviewdog/issues/2079", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154", "tags": ["US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-506"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."}, {"lang": "es", "value": "reviewdog/action-setup es una acci\u00f3n de GitHub que instala reviewdog. La acci\u00f3n reviewdog/action-setup@v1 se vio comprometida el 11 de marzo de 2025, entre las 18:42 y las 20:31 UTC, con c\u00f3digo malicioso que vierte los secretos expuestos en los registros del flujo de trabajo de acciones de GitHub. Otras acciones de reviewdog que usan `reviewdog/action-setup@v1` y que tambi\u00e9n podr\u00edan verse comprometidas, independientemente de la versi\u00f3n o el m\u00e9todo de fijaci\u00f3n, son reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep y reviewdog/action-typos."}], "lastModified": "2025-10-24T13:58:58.223", "cisaActionDue": "2025-04-14", "cisaExploitAdd": "2025-03-24", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "803018C3-8A54-4257-8AA0-34C8A44C158B", "versionEndExcluding": "1.26.2"}, {"criteria": "cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CA481E1-E3A5-4D2B-9F18-84F640CAB12E", "versionEndExcluding": "0.20.2"}, {"criteria": "cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5FB52BE-EC23-4D44-99C9-A87DA1C1146B"}, {"criteria": "cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5BC0E9A-9A25-44F7-B93D-F8B37816EA90", "versionEndExcluding": "1.29.2"}, {"criteria": "cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E197FFD7-ACAE-470F-8734-B49CD171C9B1", "versionEndExcluding": "1.26.2"}, {"criteria": "cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2894269-B4A0-4BA1-BEB9-493B5E4D409B", "versionEndExcluding": "1.17.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]", "cisaRequiredAction": "Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability"}