Cyber Resilience

CVE-2025-30066

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 March 2025

Published
15 March 2025
Modified
05 November 2025
KEV Added
18 March 2025
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.9154 99.7th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30066 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Tj-Actions Changed-Files. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SR-11 (Component Authenticity).

Deeper analysis

The vulnerability CVE-2025-30066 affects the tj-actions/changed-files GitHub Action in versions before 46. It enables remote attackers to discover secrets by reading workflow action logs. The issue stems from a supply-chain compromise in which tags v1 through v45.0.7 were altered on 2025-03-14 and 2025-03-15 to reference commit 0e58ed8 containing malicious updateFeatures code, classified under CWE-506.

Attackers with no authentication or user interaction can exploit the flaw over the network, achieving high-impact confidentiality breaches by extracting secrets that appear in GitHub Actions logs. The CVSS 8.6 score reflects the change in scope and the absence of required privileges or user interaction.

Public references, including GitGuardian analysis and GitHub security-hardening guidance, recommend pinning actions to specific commit hashes rather than version tags, reviewing workflow logs for unexpected changes, and regenerating any secrets that may have been exposed. The associated EPSS score remains elevated near 0.92, indicating sustained exploitation interest following disclosure of the tag-poisoning incident.

EU & UK References

Vulnerability details

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained…

more

malicious updateFeatures code.)

CWE(s)
KEV Date Added
18 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The CVE describes a supply chain compromise via GitHub Action tag tampering (T1195.002) that introduces malicious code exposing secrets in logs, directly facilitating credential access from files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48027Shared CWE-506both on KEV
CVE-2026-8398Shared CWE-506both on KEV
CVE-2025-59374Shared CWE-506both on KEV
CVE-2026-45321Shared CWE-506both on KEV
CVE-2026-33634Shared CWE-506both on KEV
CVE-2025-30154Shared CWE-506both on KEV
CVE-2025-54313Shared CWE-506both on KEV
CVE-2026-34424Shared CWE-506
CVE-2024-3094Shared CWE-506
CVE-2026-31976Shared CWE-506

Affected Assets

tj-actions
changed-files
≤ 45.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of GitHub Action components like tj-actions/changed-files to prevent exploitation of tampered tags pointing to malicious commits.

prevent

Establishes and protects the provenance of supply chain artifacts, mitigating tag tampering by threat actors in repositories using affected versions.

prevent

Requires timely flaw remediation by updating to tj-actions/changed-files version 46 or later, directly addressing the vulnerability from the malicious commit.

References