CVE-2025-30154 Overview
CVE-2025-30154 is a supply chain attack vulnerability affecting the reviewdog/action-setup GitHub Action, a popular tool used to install reviewdog for automated code review in CI/CD pipelines. On March 11, 2025, between 18:42 and 20:31 UTC, the action was compromised with malicious code that exfiltrated exposed secrets to GitHub Actions Workflow Logs. This compromise extends beyond just action-setup to multiple dependent reviewdog actions, regardless of version pinning methods used.
Critical Impact
Secrets and credentials from affected CI/CD workflows were exposed to workflow logs, potentially allowing attackers to harvest sensitive authentication tokens, API keys, and other confidential data from thousands of repositories using these GitHub Actions.
Affected Products
- reviewdog action-setup v1
- reviewdog action-shellcheck (all versions using action-setup@v1)
- reviewdog action-composite-template (all versions using action-setup@v1)
- reviewdog action-staticcheck (all versions using action-setup@v1)
- reviewdog action-ast-grep (all versions using action-setup@v1)
- reviewdog action-typos (all versions using action-setup@v1)
Discovery Timeline
- March 11, 2025 - Compromise window: malicious code active between 18:42 and 20:31 UTC
- March 19, 2025 - CVE-2025-30154 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2025-30154
Vulnerability Analysis
This vulnerability represents a classic software supply chain attack targeting CI/CD infrastructure. The attacker gained unauthorized access to the reviewdog/action-setup repository and injected malicious code into the v1 tag. Because GitHub Actions allow referencing actions by tag (e.g., @v1), the compromise affected all downstream users immediately without requiring any changes to their workflow configurations.
The malicious payload was designed to dump all exposed secrets and environment variables to GitHub Actions Workflow Logs. In GitHub Actions, workflow logs are often accessible to repository collaborators or may be accidentally made public, creating a significant data exfiltration vector. The attack exploited the trust relationship between the action and the secrets injected into the runner environment.
The vulnerability is classified under CWE-506 (Embedded Malicious Code), reflecting the intentional insertion of malware into a trusted software component. This attack has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
Root Cause
The root cause of this vulnerability was the compromise of the reviewdog/action-setup GitHub repository's release infrastructure. The attacker was able to modify the v1 tag to point to a commit containing malicious code. This type of attack exploits the mutable nature of Git tags, where a tag can be moved to point to different commits without downstream users being immediately aware of the change.
The cascading impact occurred because multiple other reviewdog actions (action-shellcheck, action-composite-template, action-staticcheck, action-ast-grep, and action-typos) all reference reviewdog/action-setup@v1 as a dependency. Even if users pinned these dependent actions to specific versions or commit SHAs, the underlying action-setup@v1 reference remained vulnerable to the tag manipulation attack.
Attack Vector
The attack leveraged network-accessible GitHub Actions infrastructure to execute malicious code within the context of CI/CD workflows. When a workflow using any of the compromised actions ran during the attack window, the injected code would:
- Execute within the trusted GitHub Actions runner environment
- Access all secrets and environment variables available to the workflow
- Output the captured credentials to the workflow logs
- Potentially allow attackers monitoring these logs to harvest exposed credentials
The attack required no user interaction and executed automatically whenever workflows containing the compromised actions were triggered. Organizations running continuous integration on every commit were particularly at risk of exposure during the attack window.
Detection Methods for CVE-2025-30154
Indicators of Compromise
- Presence of reviewdog/action-setup@v1 or dependent actions in workflow files that ran between March 11, 2025 18:42 UTC and 20:31 UTC
- Unexpected secret values appearing in GitHub Actions workflow logs during the compromise window
- Workflow runs referencing commit hashes from the compromised period
- Suspicious activity on accounts or services whose credentials were stored as GitHub secrets
Detection Strategies
- Audit all GitHub Actions workflow runs that occurred during the March 11, 2025 compromise window (18:42-20:31 UTC) for any usage of reviewdog actions
- Review workflow logs from the attack period for unexpected output containing environment variables or secret-like patterns
- Use GitHub's audit logs to identify all repositories in your organization that reference any of the affected reviewdog actions
- Implement automated scanning for workflow files referencing mutable tags (@v1, @v2) rather than pinned commit SHAs
Monitoring Recommendations
- Enable GitHub Advanced Security secret scanning to detect exposed credentials in workflow logs
- Implement alerts for any new or modified GitHub Actions references in workflow files across your organization
- Monitor for unauthorized access attempts using credentials that may have been exposed during the compromise
- Establish baseline monitoring for CI/CD pipeline execution patterns to detect anomalous activity
How to Mitigate CVE-2025-30154
Immediate Actions Required
- Immediately rotate ALL secrets that were available to workflows using any of the affected reviewdog actions
- Audit GitHub Actions workflow logs from March 11, 2025 (18:42-20:31 UTC) and delete any that may contain exposed credentials
- Update all workflow files to reference reviewdog actions by full commit SHA rather than mutable tags
- Review access logs and activity for any accounts or services whose credentials may have been compromised
Patch Information
The reviewdog maintainers have addressed this compromise through security commits. Organizations should update their workflows to reference the following remediation commits:
For detailed information about the compromise and remediation steps, refer to the GitHub Security Advisory GHSA-qmg3-hpqr-gqvc and GitHub Issue #2079.
Workarounds
- Pin all GitHub Actions to full commit SHAs instead of version tags to prevent future tag manipulation attacks
- Consider forking critical GitHub Actions into your organization's repositories for additional control and security review
- Implement GitHub Actions allow lists to restrict which third-party actions can be used in your organization
- Use OpenID Connect (OIDC) for cloud provider authentication instead of long-lived secrets where possible to limit exposure window
# Example: Pin action to full commit SHA instead of version tag
# Before (vulnerable to tag manipulation):
# uses: reviewdog/action-setup@v1
# After (pinned to verified commit):
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
