CVE-2025-30154
Published: 19 March 2025
Summary
CVE-2025-30154 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Reviewdog Action-Ast-Grep. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
reviewdog/action-setup is a GitHub Action used to install reviewdog in workflows. Version v1 of the action was compromised on March 11 2025 between 18:42 and 20:31 UTC when malicious code was inserted that exfiltrates any exposed secrets into GitHub Actions workflow logs. The same injected behavior affects reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos whenever they reference the compromised setup action, regardless of version pinning.
An attacker who can publish to the action repository can therefore obtain secrets from any downstream workflow that invokes the action, resulting in a supply-chain confidentiality breach with network attack vector and no required privileges or user interaction according to the CVSS 8.6 rating.
The linked GitHub commits and the reviewdog security advisory GHSA-qmg3-hpqr-gqvc document the malicious changes and the subsequent remediation steps taken by the maintainers.
EPSS scores have remained near 0.37 with negligible movement between peak and current values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6724
Vulnerability details
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would…
more
also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
- CWE(s)
- KEV Date Added
- 24 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes a supply chain compromise of a GitHub Action dependency (T1195.001) that inserts malicious code to dump secrets to workflow logs, directly facilitating access to unsecured credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Verifies the authenticity of supply chain components like the compromised reviewdog/action-setup GitHub Action prior to implementation, directly preventing execution of tampered versions.
Requires digital signatures for third-party components such as GitHub Actions, ensuring only verified and untampered code is incorporated into CI/CD pipelines.
Enforces integrity verification of software and firmware, detecting malicious modifications in supply chain components like reviewdog/action-setup before or during execution.