CVE Alert: CVE-2025-30154
Vulnerability Summary: CVE-2025-30154
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Affected Endpoints:
No affected endpoints listed.
Published Date:
3/19/2025, 4:15:33 PM
🔥 CVSS Score:
Exploit Status:
Not ExploitedReferences:
- https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
- https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
- https://github.com/reviewdog/reviewdog/issues/2079
- https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
- https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
