CVE-2025-30066
Published: 15 March 2025
Summary
CVE-2025-30066 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Tj-Actions Changed-Files. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SR-11 (Component Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies the authenticity of GitHub Action components like tj-actions/changed-files to prevent exploitation of tampered tags pointing to malicious commits.
Establishes and protects the provenance of supply chain artifacts, mitigating tag tampering by threat actors in repositories using affected versions.
Requires timely flaw remediation by updating to tj-actions/changed-files version 46 or later, directly addressing the vulnerability from the malicious commit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a supply chain compromise via GitHub Action tag tampering (T1195.002) that introduces malicious code exposing secrets in logs, directly facilitating credential access from files (T1552.001).
NVD Description
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained…
more
malicious updateFeatures code.)
Deeper analysisAI
CVE-2025-30066 is a vulnerability in the tj-actions/changed-files GitHub Action affecting versions before 46, particularly tags v1 through v45.0.7. These tags were modified by a threat actor on 2025-03-14 and 2025-03-15 to point to commit 0e58ed8, which contained malicious updateFeatures code. The flaw enables remote attackers to discover secrets by reading GitHub Actions logs, earning a CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and mapping to CWE-506.
Any remote attacker can exploit this vulnerability without privileges or user interaction by accessing public GitHub Actions logs from repositories using the affected action versions. Successful exploitation allows extraction of sensitive secrets, such as tokens or credentials, exposed in the logs due to the malicious code in the tampered commit.
Advisories, including a GitGuardian blog post and GitHub documentation on security hardening for GitHub Actions, recommend updating to tj-actions/changed-files version 46 or later. Projects like chains-project/maven-lockfile, espressif/arduino-esp32, and modal-labs/modal-examples have documented the issue via pull requests and issues, urging pinning actions to verified commits and reviewing logs for exposure.
This incident highlights a real-world supply chain compromise through GitHub tag tampering by a threat actor, published on 2025-03-15.
Details
- CWE(s)
- KEV Date Added
- 18 March 2025