Home > Vulnerability Database > CVE-2025-30154

Mend.io Vulnerability Database

CVE-2025-30154

Date: March 19, 2025

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use "reviewdog/action-setup@v1" that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Severity Score

8.6

Related Resources (9)

Url: https://github.com/reviewdog/reviewdog/issues/2079

Url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154

Url: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc

Url: https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Url: https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-30154

Url: https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887

Url: https://github.com/reviewdog/reviewdog

Url: https://www.mend.io/vulnerability-database/CVE-2025-30154

Severity Score

8.6

Weakness Type (CWE)

Embedded Malicious Code

CWE-506

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-30154

Date: March 19, 2025

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?