Vulnerability DatabaseCVE-2025-30154
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-30154
March 19, 2025
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use "reviewdog/action-setup@v1" that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Related Resources (8)
https://nvd.nist.gov/vuln/detail/CVE-2025-30154
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
https://github.com/reviewdog/reviewdog
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
https://github.com/reviewdog/reviewdog/issues/2079
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Exploit Maturity
HIGH
Weakness Type (CWE)
Embedded Malicious Code
CWE-506
EPSS
Base Score:
15.39