Cyber Resilience

CVE-2025-30154

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 19 March 2025

Published
19 March 2025
Modified
24 October 2025
KEV Added
24 March 2025
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.3708 97.3th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30154 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Reviewdog Action-Ast-Grep. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

reviewdog/action-setup is a GitHub Action used to install reviewdog in workflows. Version v1 of the action was compromised on March 11 2025 between 18:42 and 20:31 UTC when malicious code was inserted that exfiltrates any exposed secrets into GitHub Actions workflow logs. The same injected behavior affects reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos whenever they reference the compromised setup action, regardless of version pinning.

An attacker who can publish to the action repository can therefore obtain secrets from any downstream workflow that invokes the action, resulting in a supply-chain confidentiality breach with network attack vector and no required privileges or user interaction according to the CVSS 8.6 rating.

The linked GitHub commits and the reviewdog security advisory GHSA-qmg3-hpqr-gqvc document the malicious changes and the subsequent remediation steps taken by the maintainers.

EPSS scores have remained near 0.37 with negligible movement between peak and current values.

EU & UK References

Vulnerability details

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would…

more

also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

CWE(s)
KEV Date Added
24 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

The CVE explicitly describes a supply chain compromise of a GitHub Action dependency (T1195.001) that inserts malicious code to dump secrets to workflow logs, directly facilitating access to unsecured credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45321Shared CWE-506both on KEV
CVE-2025-54313Shared CWE-506both on KEV
CVE-2026-33634Shared CWE-506both on KEV
CVE-2026-48027Shared CWE-506both on KEV
CVE-2026-8398Shared CWE-506both on KEV
CVE-2025-30066Shared CWE-506both on KEV
CVE-2025-59374Shared CWE-506both on KEV
CVE-2026-31976Shared CWE-506
CVE-2024-3094Shared CWE-506
CVE-2026-34424Shared CWE-506

Affected Assets

reviewdog
action-ast-grep
≤ 1.26.2
reviewdog
action-composite-template
≤ 0.20.2
reviewdog
action-setup
1
reviewdog
action-shellcheck
≤ 1.29.2
reviewdog
action-staticcheck
≤ 1.26.2
reviewdog
action-typos
≤ 1.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of supply chain components like the compromised reviewdog/action-setup GitHub Action prior to implementation, directly preventing execution of tampered versions.

prevent

Requires digital signatures for third-party components such as GitHub Actions, ensuring only verified and untampered code is incorporated into CI/CD pipelines.

preventdetect

Enforces integrity verification of software and firmware, detecting malicious modifications in supply chain components like reviewdog/action-setup before or during execution.

References