CVE-2025-30154 reviewdog CVE debrief

Who should care

Security and DevOps teams that use reviewdog/action-setup in GitHub workflows, especially repository owners, CI/CD platform operators, and supply-chain risk owners responsible for third-party Actions.

Technical summary

The supplied corpus identifies CVE-2025-30154 as an "Embedded Malicious Code" vulnerability in reviewdog/action-setup GitHub Action. CISA has added it to KEV, which indicates it is a known exploited vulnerability and requires prompt mitigation. The supplied materials do not include a CVSS score or deeper technical mechanism details.

Defensive priority

Urgent

Recommended defensive actions

• Inventory repositories and workflows that reference reviewdog/action-setup and determine where it is in use.
• Follow the vendor and CISA mitigation guidance immediately; replace, update, or discontinue the Action if a safe mitigation is not available.
• Apply least-privilege settings for GitHub Actions tokens and workflow permissions in affected repositories.
• Review workflow execution history and related CI/CD logs for unexpected behavior around use of the Action.
• Track the official CVE, NVD, and CISA KEV entries for any updated remediation guidance or status changes.

Evidence notes

CVE and source records are both dated 2025-03-24 in the supplied corpus. CISA KEV lists reviewdog/action-setup as a known exploited vulnerability, sets a due date of 2025-04-14, and states: "Apply mitigations as set forth in the CISA instructions linked below... or discontinue use of the product if mitigations are unavailable." The supplied corpus does not include a CVSS score.

Official resources