CVE-2025-30154 – reviewdog/action-setup

Package

Manager: github_actions
Name: reviewdog/action-setup
Vulnerable Version: =1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

EPSS: 0.37115 pctl0.97048

Details

Multiple Reviewdog actions were compromised during a specific time period ### Summary `reviewdog/action-setup@v1` was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` would also be compromised, regardless of version or pinning method: - reviewdog/action-shellcheck - reviewdog/action-composite-template - reviewdog/action-staticcheck - reviewdog/action-ast-grep - reviewdog/action-typos ### Details Malicious commit: https://github.com/reviewdog/action-setup/commit/f0d342d fix/retag via version upgrade: https://github.com/reviewdog/action-setup/commit/3f401fe See the detailed report from Wiz Research: [Wiz Blog Post](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup) and reviewdog maintainer annoucement: [reviewdog #2079](https://github.com/reviewdog/reviewdog/issues/2079)

Metadata

Created: 2025-03-19T15:19:12Z
Modified: 2025-03-20T18:59:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-qmg3-hpqr-gqvc/GHSA-qmg3-hpqr-gqvc.json
CWE IDs: ["CWE-506"]
Alternative ID: GHSA-qmg3-hpqr-gqvc
Finding: F448
Auto approve: 1