Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-30154
Analyzed
Known KEV
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-19 Mar, 2025 | 16:15
Updated At-29 Mar, 2025 | 01:00

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2025-03-242025-04-14reviewdog/action-setup GitHub Action Embedded Malicious Code VulnerabilityApply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CPE Matches
reviewdog
reviewdog
>>action-ast-grep>>Versions before 1.26.2(exclusive)
cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:*
reviewdog
reviewdog
>>action-composite-template>>Versions before 0.20.2(exclusive)
cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:*
reviewdog
reviewdog
>>action-setup>>1
cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:*
reviewdog
reviewdog
>>action-shellcheck>>Versions before 1.29.2(exclusive)
cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:*
reviewdog
reviewdog
>>action-staticcheck>>Versions before 1.26.2(exclusive)
cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:*
reviewdog
reviewdog
>>action-typos>>Versions before 1.17.2(exclusive)
cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-506Primarysecurity-advisories@github.com
NVD-CWE-OtherPrimarynvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887security-advisories@github.com
Patch
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ecsecurity-advisories@github.com
Patch
https://github.com/reviewdog/reviewdog/issues/2079security-advisories@github.com
Issue Tracking
Vendor Advisory
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvcsecurity-advisories@github.com
Vendor Advisory
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setupsecurity-advisories@github.com
Exploit
Third Party Advisory
Change History
0Changes found
Details not found