Listen to this Post
A new security vulnerability has been identified in the GitHub Action reviewdog/action-setup, which is widely used for setting up reviewdog, a tool for running static analysis in CI/CD workflows. On March 11, 2025, attackers managed to inject malicious code into reviewdog/action-setup@v1, posing a significant risk to software projects relying on this action.
The breach allowed sensitive secrets to be leaked into GitHub Actions workflow logs, exposing credentials that could be exploited by malicious actors. The compromised window lasted for about two hours, from 18:42 to 20:31 UTC. This incident raises serious concerns about supply chain security within GitHub Actions and the potential for similar attacks on other repositories.
This article will summarize the impact of this compromise, analyze the risks, and discuss what Undercode has to say about this event.
the CVE Report
What Happened?
- The GitHub Action reviewdog/action-setup@v1 was compromised on March 11, 2025, during a two-hour window.
- Malicious code was inserted, causing secrets to be leaked to GitHub Actions Workflow Logs.
- Any GitHub repository using this action during the compromised period was at risk.
Affected GitHub Actions
The following reviewdog actions were also affected if they referenced reviewdog/action-setup@v1:
– reviewdog/action-shellcheck
– reviewdog/action-composite-template
– reviewdog/action-staticcheck
– reviewdog/action-ast-grep
– reviewdog/action-typos
Security Severity and Impact
– CVSS Score: 8.6 (High Severity)
– Attack Vector: Network-based
– Access Complexity: Low
– Privileges Required: None
– User Interaction: None
– Scope: Compromised
– Confidentiality Impact: High (secrets leaked)
– Integrity & Availability Impact: None
References and Confirmation
The security breach has been acknowledged and discussed in multiple sources:
– [GitHub Security Advisory](https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc)
– [GitHub Issue 2079](https://github.com/reviewdog/reviewdog/issues/2079)
– [Malicious Commit 1](https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887)
– [Malicious Commit 2](https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec)
– [Wiz.io Blog Analysis](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup)
What Undercode Says:
A Growing Threat in GitHub Actions Security
This attack is not an isolated incident but part of a growing trend where malicious actors target CI/CD pipelines to compromise software supply chains. The fact that an attacker was able to inject malicious code into reviewdog/action-setup raises several critical security concerns:
1. Trust in Open Source Dependencies – Many GitHub Actions rely on third-party developers maintaining their integrity. If an attacker gains access, they can silently inject malicious code, impacting thousands of repositories.
2. Lack of Strong Code Review Processes – The malicious code went undetected for two hours, indicating a gap in monitoring and review for GitHub Actions updates.
3. Secrets Exposure Risks – The attack focused on leaking secrets into workflow logs, a common attack vector that could allow access to API keys, credentials, and sensitive data.
How Can Developers Protect Themselves?
- Use Fixed Versions & Verify Checksums – Instead of referencing actions using
@v1, use pinned versions with SHA256 hashes to ensure you are using a verified, untampered version. - Monitor Dependencies for Security Alerts – Enable GitHub Dependabot alerts and subscribe to security advisories for all actions you use.
- Restrict Secrets Exposure in Logs – Configure GitHub Actions to mask secrets and prevent them from appearing in logs, even in case of compromise.
- Limit GitHub Action Permissions – Use least privilege access controls to restrict the permissions of third-party actions.
- Conduct Regular Security Audits – Regularly review your CI/CD setup, including external actions, to catch anomalies early.
Lessons from This Attack
- GitHub Actions are a security blind spot – Many organizations treat them as trusted, but this attack proves they need more scrutiny.
- Time-to-Detection Matters – The faster a compromise is detected and mitigated, the lower the damage. In this case, two hours was enough for secrets to be exposed.
- Transparency in Incident Response – The quick reporting by the reviewdog team and security researchers was crucial in containing the damage. Open source projects must be proactive in security disclosure.
Fact Checker Results
✔ Confirmed Security Breach – The attack on reviewdog/action-setup@v1 is verified by multiple trusted sources.
✔ Valid CVSS Score – The severity rating of 8.6 (High) is appropriate given the exposure of secrets in logs.
✔ Ongoing Investigation – While the issue has been mitigated, further security audits are recommended for related dependencies.
This incident highlights the urgent need for stronger security measures in GitHub Actions. Developers must take a proactive approach to securing their CI/CD pipelines to prevent similar attacks in the future.
References:
Reported By: https://www.cve.org/CVERecord?id=CVE-2025-30154
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





