CVE-2025-30154

CVE-2025-30154 describes a supply chain compromise in the reviewdog/action-setup@v1 GitHub Action, which is used to install reviewdog. On March 11, 2025, between 18:42 and 20:31 UTC, malicious code was inserted into this action, causing it to dump exposed secrets to GitHub Actions Workflow Logs. The compromise extends to other reviewdog actions that depend on reviewdog/action-setup@v1, including reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos, irrespective of their specific versions or pinning configurations.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or authentication, as reflected in its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Any GitHub repository owner or CI/CD pipeline operator using the affected actions during the specified time window risks automatic execution of the malicious code in their workflows, resulting in the high-impact leakage of sensitive secrets such as API keys or tokens to publicly accessible or retained workflow logs.

Advisories and patches are detailed in GitHub's security advisory GHSA-qmg3-hpqr-gqvc, reviewdog issue #2079, and commits like 3f401fe1d58fe77e10d665ab713057375e39b887 and f0d342d24037bb11d26b9bd8496e0808ba32e9ec in the reviewdog/action-setup repository, along with analysis from Wiz. These resources outline the incident response, code reversion, and recommendations for remediation.