2025/06 : Internal-CISA - Reviewdog Action-setup GitHub Action - CVE-2025-30154

Jun 18, 2025 by ADMIN 80 views

2025/06: Internal CISA Reviewdog Action-Setup GitHub Action - CVE-2025-30154

Summary

Vulnerability Name: Reviewdog/Action-Setup GitHub Action Embedded Malicious Code Vulnerability

This document confirms the impact of the reviewdog action-setup GitHub Action vulnerability, specifically the embedded malicious code, identified as CVE-2025-30154. This vulnerability analysis details the scope, severity, and potential impact on systems utilizing this GitHub Action. It is crucial to assess and remediate this vulnerability promptly to prevent unauthorized access and data breaches.

Reference

This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, emphasizing its active exploitation in the wild.

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE-2025-30154

Severity

This vulnerability is classified as HIGH severity based on the CVSS v3.1 score:

CVSS v3.1 Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

This CVSS vector indicates the following:

AV:N (Attack Vector: Network): The vulnerability can be exploited over the network, making it remotely accessible.
AC:L (Attack Complexity: Low): The attack is easily executed, requiring minimal effort from the attacker.
PR:N (Privileges Required: None): No privileges are required to exploit the vulnerability.
UI:N (User Interaction: None): No user interaction is required to trigger the vulnerability.
S:C (Scope: Changed): The vulnerability affects resources beyond the attacker's control.
C:H (Confidentiality: High): There is a high impact on confidentiality, with sensitive information potentially exposed.
I:N (Integrity: None): There is no impact on data integrity.
A:N (Availability: None): There is no impact on system availability.

Given the high confidentiality impact and the ease of exploitation, immediate action is required to mitigate this vulnerability.

Detailed Description of the Vulnerability

The reviewdog/action-setup is a GitHub Action designed to facilitate the installation and usage of reviewdog, a tool that automates code review processes. This particular vulnerability, CVE-2025-30154, arises from the compromise of the reviewdog/action-setup@v1 version. During a specific timeframe on March 11, 2025, between 18:42 and 20:31 UTC, malicious code was injected into this action. This malicious code was designed to extract and dump exposed secrets directly into the GitHub Actions Workflow Logs. This action constitutes a significant security risk, as these logs are often accessible, potentially exposing sensitive information to unauthorized parties. The vulnerability is not confined to the reviewdog/action-setup@v1 action itself. Other reviewdog actions that depend on it are also at risk. This includes, but is not limited to, reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The compromise of these actions is irrespective of the version being used or the pinning method employed. This means that even if a specific version of these actions was pinned, the underlying dependency on the compromised reviewdog/action-setup@v1 would still leave the system vulnerable. The nature of this vulnerability allows for the potential exfiltration of sensitive information, such as API keys, passwords, and other credentials, which can then be used for malicious purposes. The fact that the secrets are dumped into the GitHub Actions Workflow Logs is particularly concerning, as these logs may be inadvertently shared or accessed by individuals who should not have access to them. The relatively short window of the compromise (approximately two hours) might lead some to believe that the risk is minimal. However, it is critical to recognize that any workflows executed during this timeframe, or subsequently relying on the compromised action, are potentially affected. Organizations must conduct a thorough review of their GitHub Actions workflows to identify and mitigate any instances of the compromised action being used. This includes auditing logs, updating affected actions, and potentially rotating any exposed secrets. The broad impact of this vulnerability, stemming from its presence in a foundational setup action, underscores the importance of supply chain security in modern software development. Compromises in seemingly minor dependencies can have far-reaching consequences, highlighting the need for robust security practices throughout the development lifecycle. Addressing this vulnerability requires a multi-faceted approach, including technical remediation, process improvements, and ongoing vigilance. It is imperative that organizations prioritize the security of their CI/CD pipelines and take proactive steps to prevent similar incidents from occurring in the future.

Reporter

CISA - CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY