CVE-2025-30154
published 2025-03-19CVE-2025-30154: reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with…
PriorityP180high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-14
Exploited in the wild
EPSS
2.30%
81.1th percentile
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reviewdog | action-ast-grep | < 1.26.2 | 1.26.2 |
| reviewdog | action-composite-template | < 0.20.2 | 0.20.2 |
| reviewdog | action-setup | — | — |
| reviewdog | action-shellcheck | < 1.29.2 | 1.29.2 |
| reviewdog | action-staticcheck | < 1.26.2 | 1.26.2 |
| reviewdog | action-typos | < 1.17.2 | 1.17.2 |
| reviewdog | reviewdog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check workflow logs for a double-encoded base64 string payload — its presence confirms successful execution of the malicious payload and potential secret exfiltration. ↗
- →The malicious payload did NOT use curl for exfiltration — secrets were dumped directly into workflow logs as a double-encoded base64 string, not sent to an external server. Detection should focus on log content, not outbound network traffic. ↗
- →Audit CI runner process memory dumping activity — Wiz Sensor detects this as a malicious behavior pattern associated with this attack. ↗
- →Downstream actions that transitively use reviewdog/action-setup@v1 are also affected regardless of their own pinning method: reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, reviewdog/action-typos. ↗
- →Monitor GitHub audit logs for suspicious bot activity such as deleting workflow logs or unusual merges, which may indicate abuse of compromised credentials obtained via this attack. ↗
- ·No external C2 exfiltration was observed — secrets were only leaked within the workflow logs of affected repositories themselves, not sent to an attacker-controlled server. ↗
- ·Hash-pinned versions of reviewdog/action-setup are NOT affected — only the v1 tag was compromised. However, downstream actions using v1 transitively are affected regardless of their own pinning. ↗
- ·Workflows that do not explicitly reference custom secrets (e.g., token: ${{ secrets.MYSECRET }}) are unlikely to have had sensitive secrets compromised. ↗
- ·The attacker likely force-pushed back to the older commit after achieving their goal, meaning the malicious commit may no longer be visible in the repository history — absence of malicious code in the current repo state does not mean the attack did not occur. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
cisa·2025-03-24·CVSS 8.6
CVE-2025-30154 [HIGH] CWE-506 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
Vulnerability: reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
Affected: reviewdog action-setup GitHub Action
reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs.
Required Action: Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compr
GHSA
Multiple Reviewdog actions were compromised during a specific time period
ghsa·2025-03-19
CVE-2025-30154 [HIGH] CWE-506 Multiple Reviewdog actions were compromised during a specific time period
Multiple Reviewdog actions were compromised during a specific time period
### Summary
`reviewdog/action-setup@v1` was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs.
Other reviewdog actions that use `reviewdog/action-setup@v1` would also be compromised, regardless of version or pinning method:
- reviewdog/action-shellcheck
- reviewdog/action-composite-template
- reviewdog/action-staticcheck
- reviewdog/action-ast-grep
- reviewdog/action-typos
### Details
Malicious commit: https://github.com/reviewdog/action-setup/commit/f0d342d
fix/retag via version upgrade: https://github.com/reviewdog/action-setup/commit/3f401fe
See the detailed report from Wiz Research: [Wiz Blog Post](https://www.wiz.io
VulnCheck
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-30154 [HIGH] CWE-506 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs.
Affected: reviewdog action-setup GitHub Action
Required Action: Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/threat-signal-report/6052/github-actions-supply-chain-attack; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-repor
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud Newsletter - April 2025 | Wiz
blogs_wiz·2025-04-01·CVSS 9.8
CVE-2025-24813 [CRITICAL] Crying Out Cloud Newsletter - April 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype - RCE Vulnerability in Apache Tomcat Exploited in-the-Wild
CVE-2025-24813 is a remote code execution (RCE) vulnerability affecting Apache Tomcat. Under specific conditions, an attacker can upload a malicious session file via a partial PUT request and trigger its execution, potentially leading to full server compromise. The exploit requires several preconditions to be met, including specific server configurations and the presence of a deserialization-vulnerable library. While active exploitation has reportedly been observed in the wild, we estimate that in practice,
Wiz
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
blogs_wiz·2025-03-17
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
March 21, 2025 update:
We can now publicly disclose two additional details on this incident.
1) the specific target mentioned in the original post is Coinbase, who have confirmed an unsuccessful attempt to compromise `coinbase/agentkit`. Wiz has identified GitHub identities related to the attack, indicating the attacker is active in the crypto ecosystem, French and English speaking, and with working hours aligned to Europe or Africa.
The earliest indication of this connection was provided by San Tran on March 15th. We discovered further evidence of this connection, including:
1. A commit on `tj-actions/changed-files` from March 13th, with a payload variant that explicitly targets Coinbase repositories
2. A workflow log in `coinbase/agentkit` from March 14th, tied to a commit impersonat
Wiz
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
blogs_wiz·2025-03-17·CVSS 8.6
CVE-2025-30154 [HIGH] GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
March 21, 2025 update:
coinbase/agentkit
tj-actions/changed-files
coinbase/agentkit
changelog.yml
tj-actions/changed-files
action-setup
reviewdog
action-setup
tj-actions
March 19, 2025 update: This issue has been assigned CVE-2025-30154.
March 19, 2025 update: A reviewdog maintainer, in response to Wiz's disclosure, has published a detailed breakdown of the incident and their response .
A supply chain attack on the popular GitHub Action tj-actions/changed-files caused many repositories to leak their secrets over the weekend. Wiz Research has discovered an additional supply chain attack on reviewdog/actions-setup @v1, that may have contributed to the compromise of tj-actions/changed-files . At this point we believe this is a chain of supply chain attacks eventually leading to a
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9echttps://github.com/reviewdog/reviewdog/issues/2079https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvchttps://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setuphttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154
2025-03-19
Published
2025-03-24
Added to CISA KEV
Exploited in the wild