CVE-2025-30066
Published: 15 March 2025
Summary
CVE-2025-30066 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Tj-Actions Changed-Files. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SR-11 (Component Authenticity).
Deeper analysis
The vulnerability CVE-2025-30066 affects the tj-actions/changed-files GitHub Action in versions before 46. It enables remote attackers to discover secrets by reading workflow action logs. The issue stems from a supply-chain compromise in which tags v1 through v45.0.7 were altered on 2025-03-14 and 2025-03-15 to reference commit 0e58ed8 containing malicious updateFeatures code, classified under CWE-506.
Attackers with no authentication or user interaction can exploit the flaw over the network, achieving high-impact confidentiality breaches by extracting secrets that appear in GitHub Actions logs. The CVSS 8.6 score reflects the change in scope and the absence of required privileges or user interaction.
Public references, including GitGuardian analysis and GitHub security-hardening guidance, recommend pinning actions to specific commit hashes rather than version tags, reviewing workflow logs for unexpected changes, and regenerating any secrets that may have been exposed. The associated EPSS score remains elevated near 0.92, indicating sustained exploitation interest following disclosure of the tag-poisoning incident.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6565
Vulnerability details
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained…
more
malicious updateFeatures code.)
- CWE(s)
- KEV Date Added
- 18 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a supply chain compromise via GitHub Action tag tampering (T1195.002) that introduces malicious code exposing secrets in logs, directly facilitating credential access from files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Verifies the authenticity of GitHub Action components like tj-actions/changed-files to prevent exploitation of tampered tags pointing to malicious commits.
Establishes and protects the provenance of supply chain artifacts, mitigating tag tampering by threat actors in repositories using affected versions.
Requires timely flaw remediation by updating to tj-actions/changed-files version 46 or later, directly addressing the vulnerability from the malicious commit.