cbcvebase.
CVE-2025-30154
published 2025-03-19

CVE-2025-30154: reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with…

PriorityP180high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-14
Exploited in the wild
EPSS
2.30%
81.1th percentile
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Affected

7 ranges
VendorProductVersion rangeFixed in
reviewdogaction-ast-grep< 1.26.21.26.2
reviewdogaction-composite-template< 0.20.20.20.2
reviewdogaction-setup
reviewdogaction-shellcheck< 1.29.21.29.2
reviewdogaction-staticcheck< 1.26.21.26.2
reviewdogaction-typos< 1.17.21.17.2
reviewdogreviewdog

Detection & IOCsextracted from sources · hover to see the quote

pathinstall.sh
  • Check workflow logs for a double-encoded base64 string payload — its presence confirms successful execution of the malicious payload and potential secret exfiltration.
  • The malicious payload did NOT use curl for exfiltration — secrets were dumped directly into workflow logs as a double-encoded base64 string, not sent to an external server. Detection should focus on log content, not outbound network traffic.
  • Audit CI runner process memory dumping activity — Wiz Sensor detects this as a malicious behavior pattern associated with this attack.
  • Downstream actions that transitively use reviewdog/action-setup@v1 are also affected regardless of their own pinning method: reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, reviewdog/action-typos.
  • Monitor GitHub audit logs for suspicious bot activity such as deleting workflow logs or unusual merges, which may indicate abuse of compromised credentials obtained via this attack.
  • ·No external C2 exfiltration was observed — secrets were only leaked within the workflow logs of affected repositories themselves, not sent to an attacker-controlled server.
  • ·Hash-pinned versions of reviewdog/action-setup are NOT affected — only the v1 tag was compromised. However, downstream actions using v1 transitively are affected regardless of their own pinning.
  • ·Workflows that do not explicitly reference custom secrets (e.g., token: ${{ secrets.MYSECRET }}) are unlikely to have had sensitive secrets compromised.
  • ·The attacker likely force-pushed back to the older commit after achieving their goal, meaning the malicious commit may no longer be visible in the repository history — absence of malicious code in the current repo state does not mean the attack did not occur.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.