{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30154", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-17T12:41:42.566Z", "datePublished": "2025-03-19T15:15:29.113Z", "dateUpdated": "2025-03-25T03:55:15.353Z"}, "containers": {"cna": {"title": "Multiple Reviewdog actions were compromised during a specific time period", "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "lang": "en", "description": "CWE-506: Embedded Malicious Code", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc"}, {"name": "https://github.com/reviewdog/reviewdog/issues/2079", "tags": ["x_refsource_MISC"], "url": "https://github.com/reviewdog/reviewdog/issues/2079"}, {"name": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887", "tags": ["x_refsource_MISC"], "url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887"}, {"name": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec"}, {"name": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup", "tags": ["x_refsource_MISC"], "url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup"}], "affected": [{"vendor": "reviewdog", "product": "reviewdog", "versions": [{"version": "= 1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-19T15:15:29.113Z"}, "descriptions": [{"lang": "en", "value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."}], "source": {"advisory": "GHSA-qmg3-hpqr-gqvc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-21T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-30154"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-03-24", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T03:55:15.353Z"}, "timeline": [{"time": "2025-03-24T00:00:00+00:00", "lang": "en", "value": "CVE-2025-30154 added to CISA KEV"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30154", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-24T18:54:11.035541Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-03-24", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T16:20:55.189Z"}, "timeline": [{"lang": "en", "time": "2025-03-24T00:00:00+00:00", "value": "CVE-2025-30154 added to CISA KEV"}]}], "cna": {"title": "Multiple Reviewdog actions were compromised during a specific time period", "source": {"advisory": "GHSA-qmg3-hpqr-gqvc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "reviewdog", "product": "reviewdog", "versions": [{"status": "affected", "version": "= 1"}]}], "references": [{"url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc", "name": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/reviewdog/reviewdog/issues/2079", "name": "https://github.com/reviewdog/reviewdog/issues/2079", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887", "name": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec", "name": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec", "tags": ["x_refsource_MISC"]}, {"url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup", "name": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "CWE-506: Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-19T15:15:29.113Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30154", "state": "PUBLISHED", "dateUpdated": "2025-03-24T22:20:22.752Z", "dateReserved": "2025-03-17T12:41:42.566Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-19T15:15:29.113Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cisaActionDue": "2025-04-14", "cisaExploitAdd": "2025-03-24", "cisaRequiredAction": "Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:*", "matchCriteriaId": "803018C3-8A54-4257-8AA0-34C8A44C158B", "versionEndExcluding": "1.26.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CA481E1-E3A5-4D2B-9F18-84F640CAB12E", "versionEndExcluding": "0.20.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:*", "matchCriteriaId": "D5FB52BE-EC23-4D44-99C9-A87DA1C1146B", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5BC0E9A-9A25-44F7-B93D-F8B37816EA90", "versionEndExcluding": "1.29.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:*", "matchCriteriaId": "E197FFD7-ACAE-470F-8734-B49CD171C9B1", "versionEndExcluding": "1.26.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2894269-B4A0-4BA1-BEB9-493B5E4D409B", "versionEndExcluding": "1.17.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."}, {"lang": "es", "value": "reviewdog/action-setup es una acci\u00f3n de GitHub que instala reviewdog. La acci\u00f3n reviewdog/action-setup@v1 se vio comprometida el 11 de marzo de 2025, entre las 18:42 y las 20:31 UTC, con c\u00f3digo malicioso que vierte los secretos expuestos en los registros del flujo de trabajo de acciones de GitHub. Otras acciones de reviewdog que usan `reviewdog/action-setup@v1` y que tambi\u00e9n podr\u00edan verse comprometidas, independientemente de la versi\u00f3n o el m\u00e9todo de fijaci\u00f3n, son reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep y reviewdog/action-typos."}], "id": "CVE-2025-30154", "lastModified": "2025-03-29T01:00:02.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-19T16:15:33.780", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/reviewdog/reviewdog/issues/2079"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}