CVE-2025-30066
high-risk
Published 2025-03-15
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
Do I need to act?
!
91.3% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.6/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (21)
Issue Tracking
https://github.com/chains-project/maven-lockfile/pull/1111
Issue Tracking
https://github.com/espressif/arduino-esp32/issues/11127
Issue Tracking
https://github.com/modal-labs/modal-examples/issues/1100
Issue Tracking
https://github.com/rackerlabs/genestack/pull/903
Issue Tracking
https://github.com/tj-actions/changed-files/issues/2463
Issue Tracking
https://github.com/tj-actions/changed-files/issues/2464
Issue Tracking
https://github.com/tj-actions/changed-files/issues/2477
Issue Tracking
https://news.ycombinator.com/item?id=43367987
Issue Tracking
https://news.ycombinator.com/item?id=43368870
Third Party Advisory
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-c...
Third Party Advisory
https://www.stream.security/post/github-action-supply-chain-attack-exposes-secre...
Third Party Advisory
https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
Third Party Advisory
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-atta...
Third Party Advisory
https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third...
and 1 more references
61
/ 100
high-risk
Severity
29/34 · Critical
Exploitability
27/34 · High
Exposure
5/34 · Minimal