Description

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

INFO

Published Date :

2025-03-19T15:15:29.113Z

Last Modified :

2026-02-26T19:09:21.840Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-30154 vulnerability.

Vendors Products
Reviewdog
  • Action-ast-grep
  • Action-composite-template
  • Action-setup
  • Action-shellcheck
  • Action-staticcheck
  • Action-typos
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-30154.

URL Resource
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887 cve-icon cve-icon
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec cve-icon cve-icon
https://github.com/reviewdog/reviewdog/issues/2079 cve-icon cve-icon
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154 cve-icon cve-icon
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact