Embedded malicious code (backdoor) in reviewdog - CVE-2025-30154

 

Embedded malicious code (backdoor) in reviewdog - CVE-2025-30154

Published: March 25, 2025


Vulnerability identifier: #VU105991
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-30154
CWE-ID: CWE-506
Exploitation vector: Remote access
Exploit availability: The vulnerability is being exploited in the wild
Vendor: reviewdog
Affected software:
reviewdog

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The reviewdog/action-setup@v1 repository was compromised on March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added to it. Purpose of the malicious code was to dumps exposed secrets to Github Actions Workflow Logs.

Other reviewdog actions that use reviewdog/action-setup@v1 would also be compromised, regardless of version or pinning method:

  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck
  • reviewdog/action-ast-grep
  • reviewdog/action-typos



How to mitigate CVE-2025-30154

Install updates from vendor's website.

Sources