🟢 CVE-2025-30066

A supply chain attack compromised the tj-actions changed-files GitHub Action where threat actors modified tags v1-v45.0.7 to point to malicious code that exfiltrates secrets from GitHub Actions workflows. This is not a direct server exploitation but rather a software supply chain compromise affecting CI/CD pipelines.

← Back to Overview
LOW_RISK
Risk Level
8.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1195 — Supply Chain Compromise
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-03-15

Added to CISA KEV: 2025-03-18 3 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-30066 was a significant software supply chain attack involving the popular GitHub Action `tj-actions/changed-files`, which is utilized in over 23,000 repositories [4].

Active Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability was actively exploited in the wild between March 14 and March 15, 2025 [1]?trk=article-ssr-frontend-pulse_little-text-block?kagi_q=CVE-2025-30066+details+exploitation+threat+actors [3].
  • Threat Actor: The attack involved an unidentified threat actor who compromised the repository and modified existing tags (`v1` through `v45.0.7`) to point to a malicious commit (`0e58ed8`) containing malicious code [1]?trk=article-ssr-frontend-pulse_little-text-block?kagi_q=CVE-2025-30066+details+exploitation+threat+actors [3].
  • Cascading Attack: Reports suggest this may have been a cascading supply chain attack, where the attackers first compromised the `reviewdog/action-setup@v1` GitHub Action to gain the access necessary to infiltrate `tj-actions/changed-files` [2].
Attack Method and Impact
  • Method: By redirecting tags to the malicious commit, the attackers injected code designed to exfiltrate sensitive secrets from GitHub Actions workflow logs [3].
  • Impact: Successful exploitation allowed remote attackers to discover and exfiltrate secrets, including AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys [1] [2].
  • Scope: It is estimated that 218 GitHub repositories had their secrets exposed as a result of this compromise [5].
Exploitation Requirements and Availability
  • Requirements: No specific user interaction was required by the victim beyond the standard execution of the compromised GitHub Action within their CI/CD pipeline.
  • Proof-of-Concept/Tools: The "exploit" was the malicious code injected directly into the GitHub Action repository by the threat actor; it was not a standalone tool released for public use.
Affected Versions and Mitigation
  • Affected Versions: Versions `v1` through `v45.0.7` of `tj-actions/changed-files` were affected [1]?trk=article-ssr-frontend-pulse_little-text-block?kagi_q=CVE-2025-30066+details+exploitation+threat+actors.
  • Status: The vulnerability was addressed by updating the action to version 46 or later [1]. Users were advised to rotate any secrets that may have been exposed during the window of compromise [2].

Sources

  1. CVE-2025-30066 Details - NVD

    CVE-2025-30066 Detail Description tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. ... An official website of the United States government Here's how you know…

  2. CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise

    CISA warns of CVE-2025-30066, a GitHub supply chain attack exposing secrets via compromised actions logs. Update tj-actions/changed-files by April 4. ... CISA warns of CVE-2025-30066, a GitHub supply chain attack exposing secrets via compromised actions logs. Update tj-actions/changed-files by April…

  3. CVE-2025-30066: Tj-actions Changed-files Disclosure Flaw

    CVE-2025-30066 Overview CVE-2025-30066 is a critical supply chain vulnerability affecting the popular GitHub Action tj-actions/changed-files. A threat actor compromised the repository and modified tags v1 through v45.0.7 on March 14-15, 2025, redirecting them to a malicious commit (0e58ed8) containi…

  4. GitHub Action Compromise Puts CI/CD Secrets at Risk in Over 23,000...

    The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It's used to track and retrieve all changed files and directories. The supply chain compromise has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). The incident is said to h…

  5. Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218...

    CVE-2025-30066 supply chain attack compromised tj-actions on March 14, 2025, exposing 218 repositories and leaking credentials.It has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). According to Endor Labs, 218 GitHub repositories are estimated to have exposed their secrets due to…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed