Remote Code Execution Vulnerability in tj-actions changed-files by GitHub
CVE-2025-30066

8.6HIGH

Key Information:

Vendor
Tj-actions
Status
Changed-files
Vendor
CVE Published:
15 March 2025

Badges

🔥 Trending now📈 Trended📈 Score: 9,880👾 Exploit Exists🟣 EPSS 66%🦅 CISA Reported📰 News Worthy

What is CVE-2025-30066?

CVE-2025-30066 is a remote code execution vulnerability affecting the tj-actions changed-files GitHub Action, which is employed to manage file changes in workflows on GitHub. This vulnerability allows attackers to exploit actions logs to access sensitive information or secrets, undermining the security of projects utilizing this action. The risk of unauthorized access could jeopardize the integrity and confidentiality of an organization’s codebase and sensitive data, making it essential for developers to ensure their use of tj-actions changed-files is within safe parameters.

Technical Details

The vulnerability arises from a modification to the tj-actions changed-files action, versions 1 through 45.0.7, which were previously secure but were manipulated by a threat actor to redirect to a malicious commit. This alteration enabled the reading of action logs by remote attackers, effectively exposing secrets that should remain confidential. Organizations utilizing affected versions should be aware of the specific commit that introduced the vulnerability and take immediate actions to mitigate the associated risks.

Potential impact of CVE-2025-30066

  1. Exploitation of Sensitive Data: The primary impact of this vulnerability is the potential exposure of sensitive data such as API keys, credentials, or other secrets embedded in action logs, making it easier for malicious actors to conduct further attacks.

  2. Supply Chain Risks: By compromising the tj-actions changed-files action, attackers can jeopardize the integrity of the software supply chain, posing risks to any dependent projects and opening doors for broader exploitation across interconnected systems.

  3. Reputation Damage and Financial Loss: Organizations affected by the exploitation of this vulnerability may experience significant damage to their reputation, resulting in loss of customer trust, along with potential financial repercussions due to data breaches or compliance issues.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

changed-files 1 < 46

News Articles

favicon imageCISA (.gov)

CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation

1 week ago

favicon imageThe Hacker News

CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise

CISA warns of CVE-2025-30066, a GitHub supply chain attack exposing secrets via compromised actions logs. Update tj-actions/changed-files by April 4.

1 week ago

References

https://github.com/github/docs/blob/962a1c8dccb8c0f66548b...
https://github.com/tj-actions/changed-files/issues/2463
https://www.stepsecurity.io/blog/harden-runner-detection-...

EPSS Score

66% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by The Hacker News

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

.