tj-actions:changed-files: information disclosure in tj-actions changed-files GitHub Action (CVE-2025-30066) #shorts
Summary
Welcome to today's security update. We'll be discussing CVE-2025-30066, a newly discovered vulnerability affecting the tj-actions 'changed-files' GitHub Action. This issue has been added to CISA's Known Exploited Vulnerabilities Catalog and involves a significant risk of information disclosure.
Product details
The affected product is the tj-actions 'changed-files' prior to version 46. This GitHub Action is used to track changes in files within a repository. Users employing versions up to 45.0.7 are at risk and should take immediate actions to mitigate potential damage.
Vulnerability type summary
This vulnerability is classified under CWE-506, involving Embedded Malicious Code. Essentially, a threat actor was able to compromise the 'changed-files' GitHub Action and inject malicious code, leading to the inadvertent exposure of secrets through action logs.
Details of the vulnerability
CVE-2025-30066 allows remote attackers to discover sensitive information by exploiting a malicious updateFeatures code that was inserted into specific versions of 'changed-files'. The attack occurred between March 14 and March 15, 2025, when updates pointing to a malicious commit, 0e58ed8, were released. The compromised versions, from v1 through v45.0.7, pose a significant risk as they allow unauthorized access to log data that may contain secrets.
Conclusion
In conclusion, CVE-2025-30066 presents a severe threat to users of the 'changed-files' GitHub Action. It is crucial for users employing the affected versions to review and update their secrets immediately. Additionally, users should update to version 46 or later to ensure protection against this vulnerability. Stay vigilant and regularly check for updates on such vulnerabilities from trusted sources like CISA.
Watch the full video on YouTube: CVE-2025-30066
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
- https://github.com/tj-actions/changed-files/issues/2463
- https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
- https://news.ycombinator.com/item?id=43368870
- https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
- https://news.ycombinator.com/item?id=43367987
- https://github.com/rackerlabs/genestack/pull/903
- https://github.com/chains-project/maven-lockfile/pull/1111
- https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
- https://github.com/espressif/arduino-esp32/issues/11127
- https://github.com/modal-labs/modal-examples/issues/1100
- https://github.com/tj-actions/changed-files/issues/2464
- https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
- https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
- https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
- https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
- https://github.com/tj-actions/changed-files/issues/2477
- https://blog.gitguardian.com/compromised-tj-actions/