CVE-2025-30154

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-30154

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30154.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30154

Aliases

GHSA-qmg3-hpqr-gqvc

Published

2025-03-19T15:15:29.113Z

Modified

2026-04-10T05:27:01.175496Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Multiple Reviewdog actions were compromised during a specific time period

Details

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use reviewdog/action-setup@v1 that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-506"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30154.json"
}

References

Affected packages

Git

github.com/reviewdog/action-ast-grep

Affected ranges

Type

GIT

Repo

https://github.com/reviewdog/action-ast-grep

Events

Introduced

Fixed

5139a664d8891a080f67b78c6e6e85ccb2e002f6

Introduced

Last affected

aa4e7686215e8bff5bb5e717df7b22aca50ddea9

Introduced

Fixed

51b2e18f68bd932465c5e3d352757bd178981767

Introduced

Fixed

5139a664d8891a080f67b78c6e6e85ccb2e002f6

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.26.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.29.2"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.26.2"
        }
    ]
}

Affected versions

Other

v1.*

v1.0

v1.0.0

v1.0.1

v1.0.2

v1.1

v1.1.0

v1.10

v1.10.0

v1.11

v1.11.0

v1.12

v1.12.0

v1.13

v1.13.0

v1.14

v1.14.0

v1.15

v1.15.0

v1.16

v1.16.0

v1.17

v1.17.0

v1.18

v1.18.0

v1.19

v1.19.0

v1.2

v1.2.0

v1.20

v1.20.0

v1.21

v1.21.0

v1.22

v1.22.0

v1.23

v1.23.0

v1.24

v1.24.0

v1.25

v1.25.0

v1.26

v1.26.0

v1.26.1

v1.26.2

v1.26.3

v1.26.4

v1.26.5

v1.26.6

v1.26.7

v1.26.8

v1.27

v1.27.0

v1.27.1

v1.27.2

v1.27.3

v1.27.4

v1.27.5

v1.28

v1.28.0

v1.29

v1.29.0

v1.29.1

v1.29.2

v1.3

v1.3.0

v1.30

v1.30.0

v1.30.1

v1.31

v1.31.0

v1.32

v1.32.0

v1.33

v1.33.0

v1.33.1

v1.34

v1.34.0

v1.34.1

v1.35

v1.35.0

v1.35.1

v1.35.2

v1.36

v1.36.0

v1.37

v1.37.0

v1.37.1

v1.37.2

v1.38

v1.38.0

v1.38.1

v1.38.2

v1.38.3

v1.39

v1.39.0

v1.39.1

v1.39.2

v1.39.3

v1.39.4

v1.4

v1.4.0

v1.40

v1.40.0

v1.40.1

v1.40.2

v1.40.3

v1.40.4

v1.40.5

v1.41

v1.41.0

v1.41.1

v1.41.2

v1.41.3

v1.41.4

v1.41.5

v1.42

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.5

v1.42.6

v1.43

v1.43.0

v1.43.1

v1.43.2

v1.43.3

v1.43.4

v1.43.5

v1.43.6

v1.44

v1.44.0

v1.44.1

v1.45

v1.45.0

v1.45.1

v1.46

v1.46.0

v1.46.1

v1.46.2

v1.46.3

v1.46.4

v1.46.5

v1.46.6

v1.46.7

v1.46.8

v1.47

v1.47.0

v1.47.1

v1.48

v1.48.0

v1.48.1

v1.49

v1.49.0

v1.5

v1.5.0

v1.50

v1.50.0

v1.50.1

v1.50.2

v1.50.3

v1.50.4

v1.50.5

v1.50.6

v1.50.7

v1.50.8

v1.50.9

v1.51

v1.51.0

v1.51.1

v1.52

v1.52.0

v1.53.0

v1.53.1

v1.53.2

v1.53.3

v1.6

v1.6.0

v1.7

v1.7.0

v1.8

v1.8.0

v1.9

v1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30154.json"

github.com/reviewdog/action-composite-template

Affected ranges

Type

GIT

Repo

https://github.com/reviewdog/action-composite-template

Events

Introduced

Fixed

e8f0e0a5f62a05a6d9e4bd84c4b6e582b8091e23

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.20.2"
        }
    ]
}

Affected versions

v0.*

v0.1

v0.1.0

v0.1.1

v0.10

v0.10.0

v0.11

v0.11.0

v0.12

v0.12.0

v0.13

v0.13.0

v0.14

v0.14.0

v0.15

v0.15.0

v0.16

v0.16.0

v0.17

v0.17.0

v0.18

v0.18.0

v0.19

v0.19.0

v0.2

v0.2.0

v0.20.0

v0.20.1

v0.3

v0.3.0

v0.3.1

v0.3.2

v0.4

v0.4.0

v0.5

v0.5.0

v0.6

v0.6.0

v0.7

v0.7.0

v0.7.1

v0.8

v0.8.0

v0.8.1

v0.9

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30154.json"

github.com/reviewdog/action-setup

Affected ranges

Type: GIT
Repo: https://github.com/reviewdog/action-setup
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0d342d24037bb11d26b9bd8496e0808ba32e9ec

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30154.json"

github.com/reviewdog/action-typos

Affected ranges

Type

GIT

Repo

https://github.com/reviewdog/action-typos

Events

Introduced

Fixed

627388e238f182b925d9acd151432f9b68f1d666

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.2"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.0.0

v1.0.1

v1.1

v1.1.0

v1.10

v1.10.0

v1.11

v1.11.0

v1.12

v1.12.0

v1.13

v1.13.0

v1.14

v1.14.0

v1.15

v1.15.0

v1.16

v1.16.0

v1.17.0

v1.17.1

v1.2

v1.2.0

v1.3

v1.3.0

v1.4

v1.4.0

v1.5

v1.5.0

v1.6

v1.6.0

v1.7

v1.7.0

v1.8

v1.8.0

v1.9

v1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30154.json"