CWE-506
Embedded Malicious Code
The product contains code that appears to be malicious in nature.
CVE-2024-3094 (GCVE-0-2024-3094)
Vulnerability from cvelistv5
Published
2024-03-29 16:51
Modified
2025-08-19 01:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-3094 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2272210 | issue-tracking, x_refsource_REDHAT | |
| https://www.openwall.com/lists/oss-security/2024/03/29/4 | ||
| https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 5.6.0 Version: 5.6.1 |
|||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T04:00:23.138684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:37:17.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-08-19T00:24:09.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"
},
{
"tags": [
"x_transferred"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"
},
{
"tags": [
"x_transferred"
],
"url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.gentoo.org/928134"
},
{
"name": "RHBZ#2272210",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"
},
{
"tags": [
"x_transferred"
],
"url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/amlweems/xzbot"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/karcherm/xz-malware"
},
{
"tags": [
"x_transferred"
],
"url": "https://gynvael.coldwind.pl/?lang=en\u0026id=782"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lwn.net/Articles/967180/"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39865810"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39877267"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39895344"
},
{
"tags": [
"x_transferred"
],
"url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.swtch.com/xz-script"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.swtch.com/xz-timeline"
},
{
"tags": [
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.archlinux.org/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://tukaani.org/xz-backdoor/"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/debian/status/1774219194638409898"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/infosecb/status/1774595540233167206"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/infosecb/status/1774597228864139400"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kali.org/blog/about-the-xz-backdoor/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://xeiaso.net/notes/2024/xz-vuln/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/tukaani-project/xz",
"defaultStatus": "unaffected",
"packageName": "xz",
"versions": [
{
"status": "affected",
"version": "5.6.0"
},
{
"status": "affected",
"version": "5.6.1"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Andres Freund for reporting this issue."
}
],
"datePublic": "2024-03-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T01:03:12.439Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3094"
},
{
"name": "RHBZ#2272210",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
},
{
"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-03-29T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Xz: malicious code in distributed source",
"x_redhatCweChain": "CWE-506: Embedded Malicious Code"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3094",
"datePublished": "2024-03-29T16:51:12.588Z",
"dateReserved": "2024-03-29T15:38:13.249Z",
"dateUpdated": "2025-08-19T01:03:12.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4978 (GCVE-0-2024-4978)
Vulnerability from cvelistv5
Published
2024-05-23 01:56
Modified
2025-07-30 01:37
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Justice AV Solutions | Viewer |
Version: 8.3.7.250 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:javs:viewer:8.3.7.250:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewer",
"vendor": "javs",
"versions": [
{
"status": "affected",
"version": "8.3.7.250"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4978",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T11:12:54.307588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-05-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4978"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:03.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-05-29T00:00:00+00:00",
"value": "CVE-2024-4978 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/2RunJack2/status/1775052981966377148"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.javs.com/downloads/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Viewer",
"vendor": "Justice AV Solutions",
"versions": [
{
"status": "affected",
"version": "8.3.7.250"
}
]
}
],
"datePublic": "2024-05-23T00:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.\u0026nbsp;"
}
],
"value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T17:11:59.027Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"url": "https://twitter.com/2RunJack2/status/1775052981966377148"
},
{
"url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
},
{
"url": "https://www.javs.com/downloads/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Malicious Code in Justice AV Solutions (JAVS) Viewer",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-4978",
"datePublished": "2024-05-23T01:56:37.946Z",
"dateReserved": "2024-05-15T21:03:53.551Z",
"dateUpdated": "2025-07-30T01:37:03.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30066 (GCVE-0-2025-30066)
Vulnerability from cvelistv5
Published
2025-03-15 00:00
Modified
2025-07-30 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | changed-files |
Version: 1 < 46 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30066",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-22T03:55:44.803134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-18",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:36:16.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-18T00:00:00+00:00",
"value": "CVE-2025-30066 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-03-18T21:05:17.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "changed-files",
"vendor": "tj-actions",
"versions": [
{
"lessThan": "46",
"status": "affected",
"version": "1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*",
"versionEndExcluding": "46",
"versionStartIncluding": "1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T21:59:21.617Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2463"
},
{
"url": "https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised"
},
{
"url": "https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/"
},
{
"url": "https://news.ycombinator.com/item?id=43368870"
},
{
"url": "https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463"
},
{
"url": "https://news.ycombinator.com/item?id=43367987"
},
{
"url": "https://github.com/rackerlabs/genestack/pull/903"
},
{
"url": "https://github.com/chains-project/maven-lockfile/pull/1111"
},
{
"url": "https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/"
},
{
"url": "https://github.com/espressif/arduino-esp32/issues/11127"
},
{
"url": "https://github.com/modal-labs/modal-examples/issues/1100"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2464"
},
{
"url": "https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28"
},
{
"url": "https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066"
},
{
"url": "https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond"
},
{
"url": "https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2477"
},
{
"url": "https://blog.gitguardian.com/compromised-tj-actions/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30066",
"datePublished": "2025-03-15T00:00:00.000Z",
"dateReserved": "2025-03-15T00:00:00.000Z",
"dateUpdated": "2025-07-30T01:36:16.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30154 (GCVE-0-2025-30154)
Vulnerability from cvelistv5
Published
2025-03-19 15:15
Modified
2025-07-30 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30154",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T03:55:16.734240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:36:16.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-24T00:00:00+00:00",
"value": "CVE-2025-30154 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "reviewdog",
"vendor": "reviewdog",
"versions": [
{
"status": "affected",
"version": "= 1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:15:29.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc"
},
{
"name": "https://github.com/reviewdog/reviewdog/issues/2079",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/reviewdog/issues/2079"
},
{
"name": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887"
},
{
"name": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec"
},
{
"name": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup"
}
],
"source": {
"advisory": "GHSA-qmg3-hpqr-gqvc",
"discovery": "UNKNOWN"
},
"title": "Multiple Reviewdog actions were compromised during a specific time period"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30154",
"datePublished": "2025-03-19T15:15:29.113Z",
"dateReserved": "2025-03-17T12:41:42.566Z",
"dateUpdated": "2025-07-30T01:36:16.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54313 (GCVE-0-2025-54313)
Vulnerability from cvelistv5
Published
2025-07-19 00:00
Modified
2025-07-23 15:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prettier | eslint-config-prettier |
Version: 8.10.1 ≤ Version: 9.1.1 ≤ Version: 10.1.6 ≤ Version: 10.1.7 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-07-21T16:09:03.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/community-scripts/ProxmoxVE/discussions/6115"
},
{
"url": "https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54313",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T14:43:52.086461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T15:16:25.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "eslint-config-prettier",
"vendor": "prettier",
"versions": [
{
"status": "affected",
"version": "8.10.1",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.1.1",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.1.6",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.1.7",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-19T16:43:13.088Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"
},
{
"url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"
},
{
"url": "https://github.com/prettier/eslint-config-prettier/issues/339"
},
{
"url": "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"
},
{
"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"
},
{
"url": "https://news.ycombinator.com/item?id=44609732"
},
{
"url": "https://news.ycombinator.com/item?id=44608811"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54313",
"datePublished": "2025-07-19T00:00:00.000Z",
"dateReserved": "2025-07-19T00:00:00.000Z",
"dateUpdated": "2025-07-23T15:16:25.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8217 (GCVE-0-2025-8217)
Vulnerability from cvelistv5
Published
2025-07-30 00:34
Modified
2025-07-30 15:25
Severity ?
5.1 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.
To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
References
| ▼ | URL | Tags |
|---|---|---|
| https://aws.amazon.com/security/security-bulletins/AWS-2025-015/ | vendor-advisory | |
| https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw | third-party-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Amazon | Q Developer VS Code Extension |
Version: 1.84.0 ≤ Version: sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:23:17.479055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T15:25:16.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Q Developer VS Code Extension",
"vendor": "Amazon",
"versions": [
{
"lessThan": "1.85.0",
"status": "affected",
"version": "1.84.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.\u003c/p\u003e"
}
],
"value": "The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.\n\n\n\nTo mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use."
}
],
"impacts": [
{
"capecId": "CAPEC-442",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-442 Infected Software"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T00:34:06.733Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-015/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-8217",
"datePublished": "2025-07-30T00:34:06.733Z",
"dateReserved": "2025-07-25T21:50:50.324Z",
"dateUpdated": "2025-07-30T15:25:16.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Testing
Description:
- Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.