GHSA-qmg3-hpqr-gqvc · 深刻度: high · エコシステム: actions — Multiple Reviewdog actions were compromised during a specific time period
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
総合評価: CVE-2025-30154 は在野悪用が確認された重大脅威(87.9/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 2.30%、81 パーセンタイル) 根拠: CISA KEV に登録(追加日 2025-03-24)。reviewdog / action-setup GitHub Action が対象で、弱点分類 CWE-506の悪用が確認されています。未認証でリモート管理権限を奪取されるリスクが極めて高い。 推奨対応: CISA の対応期限を過ぎています。緊急のパッチ適用を最優先に検討してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
: reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability · CISA KEV の詳細
: 2025-03-24
: 2025-04-14
: Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
| EDB-ID | ソース | 種別 | 公開 | リンク |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-20 | 2.20% | 2.30% | +0.10% |
| 2 | 2026-06-15 | 44.23% | 2.20% | -42.04% |
| 3 | 2026-06-12 | — | 44.23% | — |
EPSS の全履歴 (全 28 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 8.6 | 3.1 | HIGH |
|
3.9 | 4.0 | [email protected] |
| 8.6 | 3.1 | HIGH |
|
3.9 | 4.0 | [email protected] |
GHSA-qmg3-hpqr-gqvc · 深刻度: high · エコシステム: actions — Multiple Reviewdog actions were compromised during a specific time period
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| reviewdog | action-ast-grep | < 1.26.2 | cpe:2.3:a:reviewdog:action-ast-grep:*:*:*:*:*:*:*:* |
| reviewdog | action-composite-template | < 0.20.2 | cpe:2.3:a:reviewdog:action-composite-template:*:*:*:*:*:*:*:* |
| reviewdog | action-setup | 1 | cpe:2.3:a:reviewdog:action-setup:1:*:*:*:*:*:*:* |
| reviewdog | action-shellcheck | < 1.29.2 | cpe:2.3:a:reviewdog:action-shellcheck:*:*:*:*:*:*:*:* |
| reviewdog | action-staticcheck | < 1.26.2 | cpe:2.3:a:reviewdog:action-staticcheck:*:*:*:*:*:*:*:* |
| reviewdog | action-typos | < 1.17.2 | cpe:2.3:a:reviewdog:action-typos:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887 | Patch |
| https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec | Patch |
| https://github.com/reviewdog/reviewdog/issues/2079 | Issue Tracking Vendor Advisory |
| https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc | Vendor Advisory |
| https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154 | US Government Resource |