CVE-2025-30066

CVSS 8.6 HIGHEPSS 41.0%● KEVCWE-506

In short

A GitHub action tool had a vulnerability where attackers could read secret information from action logs. The tool's older versions were compromised to include malicious code that exposed sensitive data.

Technical detail

CWE-506 (embedded malicious code) in tj-actions changed-files versions ≤45.0.7 allows remote attackers to exfiltrate secrets via action workflow logs; the vulnerability resulted from tag tampering that redirected to a malicious commit containing unauthorized updateFeatures functionality, affecting users who referenced the affected version tags between March 14-15, 2025.

Summary generated and translated by AI from the official description.

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

tj-actions · changed-files

public PoCs found — 2

githubgithub.com/Checkmarx/Checkmarx-CVE-2025-30066-Detection-Tool★ 1 githubgithub.com/Super-Vulnerable-Org/compromised-action★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References