CVE-2025-30066 — tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updat
Published
2025-03-15T00:00:00.000Z
Last modified
2026-02-26T19:09:29.628Z
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA KEV — Actively Exploited
01What is this vulnerability?
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
02Affected products
| Vendor | Product | Versions |
|---|
| tj-actions | changed | files — 1 |
03Active exploitation status
Yes — actively exploited. Added to the CISA KEV catalog on 2025-03-18. Ransomware use: Unknown.
04Recommended remediation
- Patch to a fixed version listed in the vendor advisory (see references below).
- Mitigate with WAF rules, network egress filters, or feature flags where the patch is not yet available.
- Hunt historical logs for exploitation indicators — see Detection signatures below.
05Technical details
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
06Detection signatures
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
Open in Sigma generator →
07Related CVEs
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.
08Timeline
- Published: 2025-03-15T00:00:00.000Z
- Last modified: 2026-02-26T19:09:29.628Z
- Added to CISA KEV: 2025-03-18
- BOD 22-01 due: 2025-04-08
09References
- github.com — https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/con…
- github.com — https://github.com/tj-actions/changed-files/issues/2463
- www.stepsecurity.io — https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-file…
- semgrep.dev — https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-c…
- news.ycombinator.com — https://news.ycombinator.com/item?id=43368870
- web.archive.org — https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed…
- news.ycombinator.com — https://news.ycombinator.com/item?id=43367987
- github.com — https://github.com/rackerlabs/genestack/pull/903
- github.com — https://github.com/chains-project/maven-lockfile/pull/1111
- sysdig.com — https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-su…
- github.com — https://github.com/espressif/arduino-esp32/issues/11127
- github.com — https://github.com/modal-labs/modal-examples/issues/1100
- github.com — https://github.com/tj-actions/changed-files/issues/2464
- github.com — https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c…
- www.wiz.io — https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-atta…
- www.stream.security — https://www.stream.security/post/github-action-supply-chain-attack-exposes-secre…
- www.sweet.security — https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
- github.com — https://github.com/tj-actions/changed-files/issues/2477
- blog.gitguardian.com — https://blog.gitguardian.com/compromised-tj-actions/
Want this in your SOAR or SIEM?
SARA's API returns EPSS, CVSS, KEV, and an analyst-grade summary in one call.
Read the API reference →