CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-30154

Critical Severity
Reviewdog
SVRS
75/100
CVSSv3
8.6/10
EPSS
0.44231/1

CVE-2025-30154 is a critical security vulnerability affecting the reviewdog/action-setup GitHub action. Malicious code was injected into reviewdog/action-setup@v1, resulting in the exposure of sensitive secrets within GitHub Actions Workflow Logs. This compromise impacts other reviewdog actions relying on the affected version, including reviewdog/action-shellcheck and others, regardless of their specific versions or pinning methods. The

With an SVRS score of 75, this vulnerability poses a significant risk, indicating a high likelihood of exploitation and potential for widespread damage. The exposure of secrets can lead to unauthorized access, data breaches, and compromise of systems relying on those credentials. Given active exploits are available, immediate action is recommended to mitigate this supply chain risk by auditing and patching vulnerable workflows.

TAGS
X_refsource_CONFIRM
X_refsource_MISC
In The Wild
CISA KEV
Exploit Available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:C
C:H
I:N
A:N
PUBLICATION DATE2025-03-19
LAST MODIFIED2025-03-29
Eye Icon
SOCRadar
AI Insight

Description

CVE-2025-30154 details a supply chain compromise affecting the reviewdog/action-setup@v1 GitHub action. Malicious code was injected into the action between 18:42 and 20:31 UTC on March 11, 2025, resulting in the unauthorized exposure of secrets to GitHub Actions Workflow Logs. This impacts not only reviewdog/action-setup@v1 but also other reviewdog actions that utilize it, such as reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. Although the CVSS score is 8.6, the SOCRadar Vulnerability Risk Score (SVRS) of 78 indicates a substantial risk, nearing the critical threshold, requiring careful assessment and mitigation despite not reaching the critical threshold of 80. Active exploits have been published to exploit the vulnerability and the vulnerability is actively exploited by hackers. The Cybersecurity and Infrastructure Security Agency (CISA) has warned of the vulnerability.

Key Insights

  1. Supply Chain Vulnerability: This CVE highlights the significant risk associated with supply chain attacks targeting widely used GitHub Actions. Even seemingly trusted actions can be compromised, leading to widespread security breaches.
  2. Secret Exposure: The injected malicious code specifically targets the exposure of sensitive secrets within GitHub Actions Workflow Logs. This could include API keys, passwords, and other credentials, potentially allowing attackers to gain unauthorized access to critical systems and data.
  3. Broad Impact: The compromise extends beyond the immediate reviewdog/action-setup@v1 action, affecting multiple other reviewdog actions that depend on it. This emphasizes the importance of understanding dependencies and potential cascading effects in software supply chains.
  4. Active Exploitation and CISA Warning: The fact that the vulnerability is actively exploited by hackers, combined with the fact that active exploits have been published and that CISA has issued a warning, underscores the urgency of addressing this issue. Immediate action is crucial to prevent further exploitation and mitigate potential damage.

Mitigation Strategies

  1. Review and Audit GitHub Actions: Thoroughly review all GitHub Actions used in repositories, paying close attention to the origin and trustworthiness of each action. Implement strict controls over which actions are allowed and regularly audit their configurations.
  2. Implement Secret Management Best Practices: Avoid storing secrets directly in code or configuration files. Utilize secure secret management solutions provided by GitHub or third-party vendors. Regularly rotate secrets and monitor for any signs of unauthorized access or exposure.
  3. Pin Action Versions and Use Checksums: When using GitHub Actions, pin specific versions to prevent unexpected updates that could introduce vulnerabilities. Additionally, use checksums to verify the integrity of the actions being used.
  4. Scan Action Usage and Monitor for Compromises: Utilize tools to scan repositories for usage of compromised actions like reviewdog/action-setup@v1 and its dependencies. Monitor security advisories and threat intelligence feeds for emerging threats targeting GitHub Actions.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2025-301542025-03-24
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

GitHub Action compromise linked to previously undisclosed attack - Cybersecurity Dive
2025-03-20
GitHub Action compromise linked to previously undisclosed attack - Cybersecurity Dive | News Content: Dive Brief: The GitHub Action supply chain compromise that threatened the security of more than 23,000 repositories appears to be linked to a previously undisclosed attack against a second entity last week, according to security researchers and federal authorities. The previously disclosed compromise of tj-actions/changed files appears to be related to March 11 attack against reviewdog/action-setup/v1, which is being tracked as CVE-2025-30154. The tj-actions/changed files compromise, tracked as CVE-2025-30066, took place between March 14-15 and led to secrets
google.com
rss
forum
news
Coinbase originally targeted during GitHub Action supply chain attack - Cybersecurity Dive
2025-03-21
Coinbase originally targeted during GitHub Action supply chain attack - Cybersecurity Dive | News Content: Dive Brief: The threat actors in the GitHub Action supply chain attack were targeting Coinbase as part of their initial wave, according to a report from Palo Alto Networks Unit 42. Researchers from Wiz confirmed that Coinbase was the original target in an updated blog post. The attack was designed to exploit the public continuous integration/continuous delivery flow of one of the crypto exchange’s open source projects, called agentkit. Researchers said the attackers likely wanted to leverage the project for additional compromises, but they were unable
google.com
rss
forum
news
CISA Adds One Known Exploited Vulnerability to Catalog
CISA2025-05-01
CISA Adds One Known Exploited Vulnerability to Catalog | CISA has added one new vulnerability to its&nbsp;Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. <a class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" href="https://www.cve.org/CVERecord?id=CVE-2025-30154" rel="noreferrer noopener" target="_blank" title
us-cert.gov
rss
forum
news
U.S. CISA adds Sitecore CMS and XP, and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini2025-03-27
U.S. CISA adds Sitecore CMS and XP, and GitHub Action flaws to its Known Exploited Vulnerabilities catalog | U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Sitecore CMS and XP, and GitHub Action flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1,2] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2019-9875 (CVSS score of 8.8) is a Deserialization of Untrusted Data in the anti [&#8230;] <h2 class="wp-block
securityaffairs.co
rss
forum
news
Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)
CISA2025-03-26
Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154) | A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. tj-actions/changed-files is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information
cisa.gov
rss
forum
news
GitHub Action Security Breach Raises Concerns Over Supply Chain Risks
Trapti Rajput ([email protected])2025-03-26
GitHub Action Security Breach Raises Concerns Over Supply Chain Risks | &nbsp;An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1
blogger.com
rss
forum
news
Hackers tentam invadir a Coinbase usando código aberto da própria corretora
Gustavo Bertolucci2025-03-24
Hackers tentam invadir a Coinbase usando código aberto da própria corretora | A exchange norte-americana Coinbase foi alvo de uma tentativa de ataque hacker envolvendo o comprometimento de ações automatizadas no GitHub. O incidente é parte de uma cadeia de ataques que começou em março de 2025. A detecção da tentativa de invasão chamou rapidamente atenção de empresas
livecoins.com.br
rss
forum
news

Social Media

We added GitHub Actions vulnerability CVE-2025-30154, affecting reviewdog actions that use reviewdog/action-setup@v1, to our Known Exploited Vulnerabilities Catalog. #CyberSecurity https://t.co/fcLYXa1ZJA
0
0
1
Warning: #CVE-2025-30154 affects #Github Actions (reviewdog/action-setup@v1) and can potentially extract sensitive secrets and credentials. #CISA added it to its #KEV list.
0
0
0
This breach (tracked as CVE-2025-30154, CVSS 8.6) enabled attackers to: Steal a Personal Access Token (PAT) from the tj-bot-actions account Modify the tj-actions/changed-files repository Insert malicious code affecting all dependent projects
1
0
0
🚨 CVE Alert: reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability Exploited In The Wild🚨 Vulnerability Details: CVE-2025-30154 (CVSS 8.6/10) reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability Impact: A successful exploit allows https://t.co/jOXuFM5Ix7
0
0
0
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-30154 #reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability https://t.co/V2x9TWfFar
0
0
0
CVE-2025-30154: New GitHub Action Vulnerability in CISA Catalog https://t.co/EQXigKJzGw
0
0
0
🛡️ We added GitHub Actions vulnerability CVE-2025-30154, affecting reviewdog actions that use reviewdog/action-setup@v1, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf &amp; apply mitigations to protect your org from cyberattacks. #Cybersecurity https://t.co/Tnl16RKEFW
1
10
13
CISACyber RT: 🛡️ We added GitHub Actions vulnerability CVE-2025-30154, affecting reviewdog actions that use reviewdog/action-setup@v1, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/bLjkLHuWBi &amp; apply mitigations to protect your or… https://t.co/9oZm91dh26
0
0
0
A supply chain attack initially aimed at Coinbase has expanded to compromise 218 GitHub repositories, exposing CI/CD secrets. Vulnerabilities CVE-2025-30066 and CVE-2025-30154 are linked. 🚨 #Coinbase #GitHub #USA link: https://t.co/KNPAdaAiGh https://t.co/saeN1qmaZT
0
0
0
🚨 Coinbase dodged a bullet—but 218 repos weren’t so lucky. A GitHub supply chain attack hijacked tj-actions/changed-files, leaking secrets from 200+ projects. 🔍 CVE-2025-30066 + CVE-2025-30154 | CVSS 8.6 🎯 Targets: DockerHub, npm, AWS creds 🕵️‍♂️ Tactics: Fork PRs, dangling https://t.co/Usg4QXsxjN
3
13
35

Affected Software

Configuration 1
TypeVendorProduct
AppReviewdogaction-setup

References

ReferenceLink
HTTPS://GITHUB.COM/REVIEWDOG/ACTION-SETUP/COMMIT/3F401FE1D58FE77E10D665AB713057375E39B887https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
HTTPS://GITHUB.COM/REVIEWDOG/ACTION-SETUP/COMMIT/F0D342D24037BB11D26B9BD8496E0808BA32E9EChttps://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
HTTPS://GITHUB.COM/REVIEWDOG/REVIEWDOG/ISSUES/2079https://github.com/reviewdog/reviewdog/issues/2079
HTTPS://GITHUB.COM/REVIEWDOG/REVIEWDOG/SECURITY/ADVISORIES/GHSA-QMG3-HPQR-GQVChttps://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
HTTPS://WWW.WIZ.IO/BLOG/NEW-GITHUB-ACTION-SUPPLY-CHAIN-ATTACK-REVIEWDOG-ACTION-SETUPhttps://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
[email protected]https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
[email protected]https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
[email protected]https://github.com/reviewdog/reviewdog/issues/2079
[email protected]https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
[email protected]https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

CWE Details

CWE IDCWE NameDescription
CWE-506Embedded Malicious CodeThe application contains code that appears to be malicious in nature.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence