CVE-2025-30154
Published: 19 March 2025
Summary
CVE-2025-30154 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Reviewdog Action-Ast-Grep. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies the authenticity of supply chain components like the compromised reviewdog/action-setup GitHub Action prior to implementation, directly preventing execution of tampered versions.
Requires digital signatures for third-party components such as GitHub Actions, ensuring only verified and untampered code is incorporated into CI/CD pipelines.
Enforces integrity verification of software and firmware, detecting malicious modifications in supply chain components like reviewdog/action-setup before or during execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes a supply chain compromise of a GitHub Action dependency (T1195.001) that inserts malicious code to dump secrets to workflow logs, directly facilitating access to unsecured credentials (T1552).
NVD Description
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would…
more
also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Deeper analysisAI
CVE-2025-30154 describes a supply chain compromise in the reviewdog/action-setup@v1 GitHub Action, which is used to install reviewdog. On March 11, 2025, between 18:42 and 20:31 UTC, malicious code was inserted into this action, causing it to dump exposed secrets to GitHub Actions Workflow Logs. The compromise extends to other reviewdog actions that depend on reviewdog/action-setup@v1, including reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos, irrespective of their specific versions or pinning configurations.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or authentication, as reflected in its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Any GitHub repository owner or CI/CD pipeline operator using the affected actions during the specified time window risks automatic execution of the malicious code in their workflows, resulting in the high-impact leakage of sensitive secrets such as API keys or tokens to publicly accessible or retained workflow logs.
Advisories and patches are detailed in GitHub's security advisory GHSA-qmg3-hpqr-gqvc, reviewdog issue #2079, and commits like 3f401fe1d58fe77e10d665ab713057375e39b887 and f0d342d24037bb11d26b9bd8496e0808ba32e9ec in the reviewdog/action-setup repository, along with analysis from Wiz. These resources outline the incident response, code reversion, and recommendations for remediation.
Details
- CWE(s)
- KEV Date Added
- 24 March 2025