Vulnerabilites related to reviewdog - reviewdog
cve-2025-30154
Vulnerability from cvelistv5
Published
2025-03-19 15:15
Modified
2025-03-25 03:55
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
References
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvcx_refsource_CONFIRM
https://github.com/reviewdog/reviewdog/issues/2079x_refsource_MISC
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887x_refsource_MISC
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ecx_refsource_MISC
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setupx_refsource_MISC
Impacted products
Vendor Product Version
reviewdog reviewdog Version: = 1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-30154",
                        options: [
                           {
                              Exploitation: "active",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-21T00:00:00+00:00",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
               {
                  other: {
                     content: {
                        dateAdded: "2025-03-24",
                        reference: "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
                     },
                     type: "kev",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-25T03:55:15.353Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            timeline: [
               {
                  lang: "en",
                  time: "2025-03-24T00:00:00+00:00",
                  value: "CVE-2025-30154 added to CISA KEV",
               },
            ],
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "reviewdog",
               vendor: "reviewdog",
               versions: [
                  {
                     status: "affected",
                     version: "= 1",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.6,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-506",
                     description: "CWE-506: Embedded Malicious Code",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-19T15:15:29.113Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc",
            },
            {
               name: "https://github.com/reviewdog/reviewdog/issues/2079",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/reviewdog/reviewdog/issues/2079",
            },
            {
               name: "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887",
            },
            {
               name: "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec",
            },
            {
               name: "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup",
            },
         ],
         source: {
            advisory: "GHSA-qmg3-hpqr-gqvc",
            discovery: "UNKNOWN",
         },
         title: "Multiple Reviewdog actions were compromised during a specific time period",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2025-30154",
      datePublished: "2025-03-19T15:15:29.113Z",
      dateReserved: "2025-03-17T12:41:42.566Z",
      dateUpdated: "2025-03-25T03:55:15.353Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}