Description

tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were not originally affected, but were modified by a threat actor to point at commit 0e58ed8, which contains the malicious updateFeatures code.)

Known Exploited

🚨 Marked as known exploited on March 18th, 2025 (about 1 month ago).

Classification

CVE ID: CVE-2025-30066

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products

Vendor: tj-actions

Product: changed-files

Exploit Prediction Scoring System (EPSS)

EPSS Score: 63.87% (probability of being exploited)

EPSS Percentile: 98.29% (scored less or equal to compared to others)

EPSS Date: 2025-04-13 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30066
https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
https://github.com/tj-actions/changed-files/issues/2463
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
https://news.ycombinator.com/item?id=43368870

Timeline