External risk intelligence

Reviewdog Actions Expose Secrets in Logs

CVE advisoryKnown Exploit

CVE-2025-30154

A GitHub Action used for installing development tools was compromised, exposing sensitive secrets in workflow logs. This impacts several related actions, risking the exposure of confidential business data. Organizations should address this to protect development pipelines.

1Halo Surface Signal

Reviewdog Action Ast Grep

before 1.26.2before 0.20.21before 1.29.2before 1.17.2

External exposure likelihood

Halo Surface Signal score for CVE-2025-30154

This vulnerability exists within build-time tooling (GitHub Actions) used for software development workflows. It is not an internet-facing service, appliance, or application reachable from the public network in a normal deployment, but rather a component of a developer's CI/CD pipeline.

Horizon Alert

Summary of the vulnerability and why it matters

The reviewdog/action-setup GitHub action was compromised, allowing malicious code to be introduced. This code extracts sensitive information and exposes it in workflow logs. Other reviewdog actions that rely on this compromised component are also affected.

Vulnerable reviewdog actions
Exposed secrets in logs
Compromised business data

Attack Path

How an attacker could exploit the issue

Attackers can compromise software development workflows by injecting malicious code into a GitHub action used to install development tools. This action, when executed, can exfiltrate sensitive information from the workflow logs. This could lead to unauthorized access to credentials and other confidential data, posing a significant risk to the affected organization.

Exposure condition: GitHub action workflow execution.
Attacker starting point: Compromised GitHub action.
Trigger and result: Malicious code execution, secrets exposed.

Live Threat

Current exploitation, exposure, and threat context

A security incident occurred within the `reviewdog/action-setup` GitHub Action, which was compromised and included malicious code. This code was designed to expose sensitive secrets within GitHub Actions workflow logs. The compromise affected `reviewdog/action-setup@v1` and other related reviewdog actions that utilized it, regardless of their specific version or how they were pinned. The primary impact involves the potential exfiltration of confidential information, posing a significant risk to the integrity and security of development pipelines.

Attackers with moderate skill.
Affected GitHub Actions workflows.
High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The reviewdog/action-setup GitHub action was compromised, allowing malicious code to exfiltrate secrets from workflow logs. This affects several related reviewdog actions, regardless of version. Organizations should address this to protect sensitive data and maintain the integrity of their development pipelines.

Find all instances of affected actions.
Isolate or remove compromised actions.
Rebuild and validate workflows.
Monitor for unauthorized access.

Frequently asked questions

What is reviewdog/action-setup and how was it compromised?

reviewdog/action-setup is a GitHub Action used to install the reviewdog tool for automating code quality checks. The action was compromised on March 11, 2025, when malicious code was injected into version v1, which exfiltrated exposed secrets into GitHub Actions workflow logs.

How does the CVE-2025-30154 vulnerability expose secrets?

The weakness class for CVE-2025-30154 is CWE-506, representing code that contains a back door. Malicious code embedded in the reviewdog/action-setup GitHub Action dumped exposed secrets directly into workflow logs, making them accessible.

What is the scope of the compromise for reviewdog actions?

The compromise affected reviewdog/action-setup@v1. Consequently, other reviewdog actions that depend on this specific version, such as reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos, are also compromised, irrespective of their own versioning or pinning.

What is the relevance of CVE-2025-30154 with CISA's advisory?

CISA issued an alert regarding this supply chain compromise, highlighting that the reviewdog/action-setup GitHub Action contained malicious code designed to steal secrets from workflow logs. The advisory emphasizes the need for urgent mitigation as outlined by CISA and vendor instructions.

What steps should be taken to address the reviewdog/action-setup vulnerability?

Organizations should identify all instances of the affected reviewdog actions within their workflows. It is crucial to isolate or remove the compromised actions, then rebuild and validate workflows. Continuous monitoring for any unauthorized access or data exfiltration is also recommended to maintain development pipeline integrity.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.