CVE-2025-30145: 
Java vulnerability analysis and mitigation

The reviewdog/action-setup GitHub action (v1) was compromised on March 11, 2025, between 18:42 and 20:31 UTC. The compromise involved malicious code that was designed to dump exposed secrets to Github Actions Workflow Logs. This vulnerability affected multiple reviewdog actions that depend on reviewdog/action-setup@v1, including reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The vulnerability is classified as CWE-506 (Embedded Malicious Code). The attack requires no user interaction or privileges and can be executed remotely (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information, as the malicious code was specifically designed to extract secrets from GitHub Actions workflows and dump them to workflow logs. This could lead to the compromise of sensitive credentials and tokens used in CI/CD pipelines (NVD).

Organizations using affected reviewdog actions should immediately update to the patched versions: action-ast-grep v1.26.2, action-composite-template v0.20.2, action-shellcheck v1.29.2, and action-staticcheck v1.26.2. CISA has set a due date of April 14, 2025, for federal agencies to apply the required mitigations (NVD).