Multiple Reviewdog actions were compromised during a specific time period

Summary

reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs.

Other reviewdog actions that use reviewdog/action-setup@v1 would also be compromised, regardless of version or pinning method:

reviewdog/action-shellcheck
reviewdog/action-composite-template
reviewdog/action-staticcheck
reviewdog/action-ast-grep
reviewdog/action-typos

Details

Malicious commit: reviewdog/action-setup@f0d342d
fix/retag via version upgrade: reviewdog/action-setup@3f401fe

See the detailed report from Wiz Research: Wiz Blog Post and reviewdog maintainer annoucement: reviewdog #2079

References

haya14busa published to reviewdog/reviewdog Mar 19, 2025

Published to the GitHub Advisory Database Mar 19, 2025

Reviewed Mar 19, 2025

Published by the National Vulnerability Database Mar 19, 2025

Last updated Mar 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

CVE ID

GHSA ID

Source code

Credits