Embedded Malicious Code

CVE-2025-30154

High

8.6/10

Summary

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-506 - Embedded Malicious Code

The application contains code that appears to be malicious in nature.

References

Advisory Timeline

Published Mar 19, 2025

Embedded Malicious Code

CVE-2025-30154

Summary

CWE-506 - Embedded Malicious Code

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS