CVE-2025-30154

What is reviewdog/action-setup?

reviewdog is an open-source code review automation tool that runs linters and static analyzers in CI/CD pipelines and posts results as GitHub pull request comments. reviewdog/action-setup is the GitHub Action used to install and configure reviewdog in a workflow. It was used by tj-actions/changed-files — the adjacent supply chain attack (CVE-2025-30066) — as a dependency, which is why understanding the relationship between the two compromises is important.

Overview

CVE-2025-30154 is an embedded malicious code vulnerability (CWE-506) in the reviewdog/action-setup GitHub Action. The reviewdog GitHub account was compromised on approximately March 11, 2025, and the attacker injected a payload into action-setup that dumped CI/CD secrets to workflow run logs. The reviewdog compromise appears to have been the upstream stepping stone that enabled the attacker to then compromise tj-actions/changed-files (CVE-2025-30066) — a far more widely-used action with over 23,000 dependent repositories. The two CVEs represent a cascading supply chain attack.

Affected Versions

Workflows pinning to a pre-compromise SHA were not affected.

Technical Details

The attacker gained access to the reviewdog GitHub account and injected a malicious shell payload into action-setup's workflow steps. Like the tj-actions attack (CVE-2025-30066), the payload:

1. Reads the running process environment (/proc/1/environ)
2. Base64-encodes all environment variables (which includes GitHub Actions secrets.* values)
3. Prints the encoded data to the workflow run log
4. Attacker-controlled infrastructure scraped public CI/CD logs for the dumped secrets

Cascade relationship with CVE-2025-30066: The same attacker used access or knowledge gained from the reviewdog compromise to then attack tj-actions/changed-files, which used reviewdog/action-setup in its own CI pipeline. By injecting into reviewdog first, the attacker obtained credentials that enabled the larger-scale tj-actions attack, which affected 23,000+ repositories.

Secrets commonly exposed: AWS IAM credentials, GitHub Personal Access Tokens, npm tokens, Docker credentials, and other CI/CD service keys.

Discovery

Security researchers tracking the tj-actions/changed-files incident traced the attack chain back to the upstream reviewdog/action-setup compromise. CISA issued a joint alert covering both CVEs on March 18, 2025.

Exploitation Context

The two-stage supply chain cascade — reviewdog first, then tj-actions — illustrates how attackers climb the dependency tree to maximize impact. By compromising a smaller, less-monitored action upstream, the attacker gained the access needed to compromise a far more widely used downstream action. The initial target was Coinbase's CI/CD pipeline; the broader deployment collected credentials from an unknown number of public and private repositories that ran workflows using either affected Action during the compromise window.

Remediation

1. Pin all GitHub Actions to full commit SHAs — uses: reviewdog/action-setup@<sha> prevents tag rewriting attacks. This applies universally, not just to these two actions.
2. Rotate all CI/CD secrets exposed in workflows that ran either action between March 11–19, 2025.
3. Audit dependency chains: understand which Actions your workflows use, and which other Actions those depend on — upstream compromises propagate downstream.
4. Follow CISA's mitigation instructions at the alert URL above.
5. Enable GitHub Actions secret scanning and configure alerts for unexpected secret exposure in workflow logs.
6. Minimize secrets in CI/CD: use short-lived credentials (OIDC with AWS/GCP/Azure) rather than long-lived static keys that can be exfiltrated and reused.