CVE-2025-30154
📋 TL;DR
CVE-2025-30154 is a supply chain attack where the reviewdog/action-setup GitHub Action was compromised with malicious code that exfiltrates exposed secrets to GitHub Actions Workflow Logs. This affects any GitHub workflow using reviewdog/action-setup@v1 or dependent actions like reviewdog/action-shellcheck during the compromise window, regardless of version pinning.
💻 Affected Systems
- reviewdog/action-setup
- reviewdog/action-shellcheck
- reviewdog/action-composite-template
- reviewdog/action-staticcheck
- reviewdog/action-ast-grep
- reviewdog/action-typos
📦 What is this software?
Action Ast Grep by Reviewdog
Action Setup by Reviewdog
Action Typos by Reviewdog
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive secrets (API keys, tokens, credentials) stored in GitHub repositories, leading to unauthorized access to cloud resources, source code repositories, and downstream systems.
Likely Case
Exposed secrets are captured from workflow logs, potentially enabling attackers to compromise associated services and infrastructure.
If Mitigated
With proper secret management and monitoring, impact is limited to exposed secrets requiring rotation and investigation.
🎯 Exploit Status
The malicious code was actively deployed in the compromised action, making exploitation automatic for affected workflows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: reviewdog/action-setup@v1 after March 11, 2025 20:31 UTC
Vendor Advisory: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
Restart Required: No
Instructions:
1. Check GitHub Actions workflow logs for March 11, 2025 between 18:42-20:31 UTC. 2. Rotate all exposed secrets. 3. Update workflows to use reviewdog/action-setup@v1.1.0 or later. 4. Consider migrating to reviewdog/action-setup@v2.
🔧 Temporary Workarounds
Temporarily disable reviewdog actions
allDisable GitHub workflows using reviewdog actions until patched
🧯 If You Can't Patch
- Immediately rotate all secrets exposed in GitHub Actions workflows
- Implement GitHub Actions secret scanning and monitoring
🔍 How to Verify
Check if Vulnerable:
Review GitHub Actions workflow runs between March 11, 2025 18:42-20:31 UTC for use of reviewdog/action-setup@v1Check Version:
Check GitHub workflow YAML for 'uses: reviewdog/action-setup@...'Verify Fix Applied:
Confirm workflow uses reviewdog/action-setup@v1.1.0+ or v2, and check for absence of secret leakage in logs📡 Detection & Monitoring
Log Indicators:
- Unexpected secret values in GitHub Actions workflow logs
- Suspicious log entries during March 11, 2025 18:42-20:31 UTC timeframe
Network Indicators:
- Unusual outbound connections from GitHub Actions runners
SIEM Query:
source="github-actions" AND ("reviewdog/action-setup" OR "reviewdog/action-") AND timestamp BETWEEN "2025-03-11T18:42:00Z" AND "2025-03-11T20:31:00Z"🔗 References
- https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887
- https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
- https://github.com/reviewdog/reviewdog/issues/2079
- https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
- https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154
