{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-16T03:54:42.740","vulnerabilities":[{"cve":{"id":"CVE-2025-30154","sourceIdentifier":"security-advisories@github.com","published":"2025-03-19T16:15:33.780","lastModified":"2025-10-24T13:58:58.223","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."},{"lang":"es","value":"reviewdog/action-setup es una acción de GitHub que instala reviewdog. La acción reviewdog/action-setup@v1 se vio comprometida el 11 de marzo de 2025, entre las 18:42 y las 20:31 UTC, con código malicioso que vierte los secretos expuestos en los registros del flujo de trabajo de acciones de GitHub. Otras acciones de reviewdog que usan `reviewdog/action-setup@v1` y que también podrían verse comprometidas, independientemente de la versión o el método de fijación, son reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep y reviewdog/action-typos."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.0}]},"cisaExploitAdd":"2025-03-24","cisaActionDue":"2025-04-14","cisaRequiredAction":"Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","cisaVulnerabilityName":"reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability","weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-506"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:*","versionEndExcluding":"1.26.2","matchCriteriaId":"803018C3-8A54-4257-8AA0-34C8A44C158B"},{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:*","versionEndExcluding":"0.20.2","matchCriteriaId":"0CA481E1-E3A5-4D2B-9F18-84F640CAB12E"},{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:*","matchCriteriaId":"D5FB52BE-EC23-4D44-99C9-A87DA1C1146B"},{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:*","versionEndExcluding":"1.29.2","matchCriteriaId":"B5BC0E9A-9A25-44F7-B93D-F8B37816EA90"},{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:*","versionEndExcluding":"1.26.2","matchCriteriaId":"E197FFD7-ACAE-470F-8734-B49CD171C9B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:*","versionEndExcluding":"1.17.2","matchCriteriaId":"B2894269-B4A0-4BA1-BEB9-493B5E4D409B"}]}]}],"references":[{"url":"https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/reviewdog/reviewdog/issues/2079","source":"security-advisories@github.com","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"]}]}}]}