Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-30066

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-15 Mar, 2025 | 00:00
Updated At-30 Jul, 2025 | 01:36
Rejected At-
Credits

tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability

tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
tj-actions
Product:changed-files GitHub Action
Added At:18 Mar, 2025
Due At:08 Apr, 2025

tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability

tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

Used in Ransomware

:

Unknown

CWE

:
CWE-506

Required Action:

Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes:

This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction ; Additional References: https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28 ; https://nvd.nist.gov/vuln/detail/CVE-2025-30066
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:15 Mar, 2025 | 00:00
Updated At:30 Jul, 2025 | 01:36
Rejected At:
▼CVE Numbering Authority (CNA)

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

Affected Products
Vendor
tj-actions
Product
changed-files
Default Status
unaffected
Versions
Affected
  • From 1 before 46 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-506CWE-506 Embedded Malicious Code
Type: CWE
CWE ID: CWE-506
Description: CWE-506 Embedded Malicious Code
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
N/A
https://github.com/tj-actions/changed-files/issues/2463
N/A
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
N/A
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
N/A
https://news.ycombinator.com/item?id=43368870
N/A
https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
N/A
https://news.ycombinator.com/item?id=43367987
N/A
https://github.com/rackerlabs/genestack/pull/903
N/A
https://github.com/chains-project/maven-lockfile/pull/1111
N/A
https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
N/A
https://github.com/espressif/arduino-esp32/issues/11127
N/A
https://github.com/modal-labs/modal-examples/issues/1100
N/A
https://github.com/tj-actions/changed-files/issues/2464
N/A
https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
N/A
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
N/A
https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
N/A
https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
N/A
https://github.com/tj-actions/changed-files/issues/2477
N/A
https://blog.gitguardian.com/compromised-tj-actions/
N/A
Hyperlink: https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
Resource: N/A
Hyperlink: https://github.com/tj-actions/changed-files/issues/2463
Resource: N/A
Hyperlink: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Resource: N/A
Hyperlink: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
Resource: N/A
Hyperlink: https://news.ycombinator.com/item?id=43368870
Resource: N/A
Hyperlink: https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
Resource: N/A
Hyperlink: https://news.ycombinator.com/item?id=43367987
Resource: N/A
Hyperlink: https://github.com/rackerlabs/genestack/pull/903
Resource: N/A
Hyperlink: https://github.com/chains-project/maven-lockfile/pull/1111
Resource: N/A
Hyperlink: https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
Resource: N/A
Hyperlink: https://github.com/espressif/arduino-esp32/issues/11127
Resource: N/A
Hyperlink: https://github.com/modal-labs/modal-examples/issues/1100
Resource: N/A
Hyperlink: https://github.com/tj-actions/changed-files/issues/2464
Resource: N/A
Hyperlink: https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
Resource: N/A
Hyperlink: https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
Resource: N/A
Hyperlink: https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
Resource: N/A
Hyperlink: https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
Resource: N/A
Hyperlink: https://github.com/tj-actions/changed-files/issues/2477
Resource: N/A
Hyperlink: https://blog.gitguardian.com/compromised-tj-actions/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
kev
dateAdded:
2025-03-18
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2025-30066 added to CISA KEV2025-03-18 00:00:00
Event: CVE-2025-30066 added to CISA KEV
Date: 2025-03-18 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
N/A
Hyperlink: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:15 Mar, 2025 | 06:15
Updated At:29 Mar, 2025 | 01:00

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2025-03-182025-04-08tj-actions/changed-files GitHub Action Embedded Malicious Code VulnerabilityApply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Date Added: 2025-03-18
Due Date: 2025-04-08
Vulnerability Name: tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
Required Action: Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CPE Matches
tj-actions
tj-actions
>>changed-files>>Versions up to 45.0.7(inclusive)
cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-506Secondarycve@mitre.org
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-506
Type: Secondary
Source: cve@mitre.org
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://blog.gitguardian.com/compromised-tj-actions/cve@mitre.org
Exploit
Third Party Advisory
https://github.com/chains-project/maven-lockfile/pull/1111cve@mitre.org
Issue Tracking
https://github.com/espressif/arduino-esp32/issues/11127cve@mitre.org
Issue Tracking
https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193cve@mitre.org
Product
https://github.com/modal-labs/modal-examples/issues/1100cve@mitre.org
Issue Tracking
https://github.com/rackerlabs/genestack/pull/903cve@mitre.org
Issue Tracking
https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28cve@mitre.org
Product
https://github.com/tj-actions/changed-files/issues/2463cve@mitre.org
Issue Tracking
https://github.com/tj-actions/changed-files/issues/2464cve@mitre.org
Issue Tracking
https://github.com/tj-actions/changed-files/issues/2477cve@mitre.org
Issue Tracking
https://news.ycombinator.com/item?id=43367987cve@mitre.org
Issue Tracking
Third Party Advisory
https://news.ycombinator.com/item?id=43368870cve@mitre.org
Issue Tracking
Third Party Advisory
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/cve@mitre.org
Third Party Advisory
https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/cve@mitre.org
Mitigation
Third Party Advisory
https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463cve@mitre.org
Issue Tracking
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromisedcve@mitre.org
Exploit
Mitigation
Third Party Advisory
https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respondcve@mitre.org
Third Party Advisory
https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attackcve@mitre.org
Third Party Advisory
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066cve@mitre.org
Third Party Advisory
https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
Hyperlink: https://blog.gitguardian.com/compromised-tj-actions/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/chains-project/maven-lockfile/pull/1111
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/espressif/arduino-esp32/issues/11127
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://github.com/modal-labs/modal-examples/issues/1100
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/rackerlabs/genestack/pull/903
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://github.com/tj-actions/changed-files/issues/2463
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/tj-actions/changed-files/issues/2464
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://github.com/tj-actions/changed-files/issues/2477
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://news.ycombinator.com/item?id=43367987
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://news.ycombinator.com/item?id=43368870
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
Source: cve@mitre.org
Resource:
Mitigation
Third Party Advisory
Hyperlink: https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
Source: cve@mitre.org
Resource:
Issue Tracking
Hyperlink: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Source: cve@mitre.org
Resource:
Exploit
Mitigation
Third Party Advisory
Hyperlink: https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2025-30154
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-37.11% / 97.04%
||
7 Day CHG+6.20%
Published-19 Mar, 2025 | 15:15
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-04-14||Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Multiple Reviewdog actions were compromised during a specific time period

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Action-Not Available
Vendor-reviewdogreviewdogreviewdog
Product-action-setupaction-shellcheckaction-composite-templateaction-ast-grepaction-typosaction-staticcheckreviewdogaction-setup GitHub Action
CWE ID-CWE-506
Embedded Malicious Code
Details not found