CVE-2025-30154

216.73.216.226

· Published 19/03/2025 16:15 · Modified 19/03/2025 16:15

Labels: CVE-2025-30154 2025-03-19 CVE-2025-30154 CWE-506 [email protected]

Essential information

Published: 19/03/2025 16:15
Modified: 19/03/2025 16:15
Author: —
Creator: —
CVSS: 8.6 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS metrics

Description

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
reviewdog / action-setup	`cpe:2.3:a:reviewdog:action-setup:v1:::::::*`
reviewdog / action-shellcheck	`cpe:2.3:a:reviewdog:action-shellcheck:::::::*`
reviewdog / action-composite-template	`cpe:2.3:a:reviewdog:action-composite-template:::::::*`
reviewdog / action-staticcheck	`cpe:2.3:a:reviewdog:action-staticcheck:::::::*`
reviewdog / action-ast-grep	`cpe:2.3:a:reviewdog:action-ast-grep:::::::*`
reviewdog / action-typos	`cpe:2.3:a:reviewdog:action-typos:::::::*`