PT-2025-11694 · Reviewdog · Reviewdog/Action-Setup+5
Published
2025-03-12
·
Updated
2026-04-01
·
CVE-2025-30154
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
reviewdog/action-setup version 1
Description
The GitHub Action
reviewdog/action-setup was compromised between March 11, 2025, 18:42 and 20:31 UTC with malicious code. This code dumps exposed secrets to GitHub Actions Workflow Logs. Actions that utilize reviewdog/action-setup@v1, including reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos, are also affected. The malicious code enabled attackers to steal a Personal Access Token (PAT) from the tj-bot-actions account and modify the tj-actions/changed-files repository.Recommendations
Do not use reviewdog/action-setup version 1.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reviewdog/Action-Ast-Grep
Reviewdog/Action-Composite-Template
Reviewdog/Action-Setup
Reviewdog/Action-Shellcheck
Reviewdog/Action-Staticcheck
Reviewdog/Action-Typos