← back
CVE-2025-30154

Multiple Reviewdog actions were compromised during a specific time period

CVSS 8.6 HIGHEPSS 2.3%● KEVCWE-506
In short

A GitHub action used to install reviewdog was compromised for about 2 hours on March 11, 2025, and injected malicious code that exposed sensitive secrets in workflow logs. This affected multiple related actions and any workflow using them during that time period.

Technical detail

reviewdog/action-setup@v1 was compromised (2025-03-11, 18:42–20:31 UTC) and contained malicious code exfiltrating GitHub Actions secrets to workflow logs. The vulnerability affects downstream actions (action-shellcheck, action-composite-template, action-staticcheck, action-ast-grep, action-typos) regardless of version pinning. Attack vector is supply-chain; impact includes exposure of repository secrets, tokens, and credentials in publicly accessible logs.

Summary generated and translated by AI from the official description.
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
reviewdog · reviewdog

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9echttps://github.com/reviewdog/reviewdog/issues/2079https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvchttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup