Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-7ytz-4ca2-d3be

Summary reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Aliases

alias	CVE-2025-30154

alias	GHSA-qmg3-hpqr-gqvc

Fixed_packages

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-30154

reference_id

reference_type

scores

value	0.37078
scoring_system	epss
scoring_elements	0.97265
published_at	2026-06-11T12:55:00Z

value	0.44233
scoring_system	epss
scoring_elements	0.97642
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-30154

reference_url

https://github.com/reviewdog/reviewdog

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/reviewdog/reviewdog

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-30154

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-30154

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154

reference_url

https://github.com/reviewdog/reviewdog/issues/2079

reference_id

2079

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-03-25T03:55:16Z/

url

https://github.com/reviewdog/reviewdog/issues/2079

reference_url

https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887

reference_id

3f401fe1d58fe77e10d665ab713057375e39b887

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-03-25T03:55:16Z/

url

https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887

reference_url

https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec

reference_id

f0d342d24037bb11d26b9bd8496e0808ba32e9ec

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-03-25T03:55:16Z/

url

https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec

reference_url

https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc

reference_id

GHSA-qmg3-hpqr-gqvc

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-03-25T03:55:16Z/

url

https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc

reference_url

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

reference_id

new-github-action-supply-chain-attack-reviewdog-action-setup

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-03-25T03:55:16Z/

url

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Weaknesses

cwe_id	506
name	Embedded Malicious Code
description	The product contains code that appears to be malicious in nature.

Exploits

date_added	2025-03-24
description	reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs.
required_action	Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
due_date	2025-04-14
notes	This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction ; Additional References: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc ; https://nvd.nist.gov/vuln/detail/CVE-2025-30154
known_ransomware_campaign_use	`false`
source_date_published	`null`
exploit_type	`null`
platform	`null`
source_date_updated	`null`
data_source	KEV
source_url	`null`

Severity_range_score 7.0 - 8.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ytz-4ca2-d3be

Vulnerability Instance