CVE-2025-30066 – CVE-2025-30066 is a supply chain attack where m... (How to Fix)

Q: What is the severity of CVE-2025-30066?

CVE-2025-30066 has a CVSS score of 8.6 (HIGH). CVE-2025-30066 is a supply chain attack where malicious commits were injected into the tj-actions/changed-files GitHub Action, allowing attackers to exfiltrate secrets from GitHub Actions logs. This affects any GitHub repository using vulnerable versions of this popular action. The attack occurred when a threat actor modified tags v1 through v45.0.7 to point to a malicious commit.

📋 TL;DR

CVE-2025-30066 is a supply chain attack where malicious commits were injected into the tj-actions/changed-files GitHub Action, allowing attackers to exfiltrate secrets from GitHub Actions logs. This affects any GitHub repository using vulnerable versions of this popular action. The attack occurred when a threat actor modified tags v1 through v45.0.7 to point to a malicious commit.

💻 Affected Systems

Products:

tj-actions/changed-files GitHub Action

Versions: All versions v1 through v45.0.7 (tags modified on 2025-03-14 and 2025-03-15)

Operating Systems: Any OS running GitHub Actions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects repositories using the compromised tags. The malicious code was in commit 0e58ed8 which the threat actor made tags point to.

📦 What is this software?

Changed Files by Tj Actions

View all CVEs affecting Changed Files →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of repository secrets including API keys, tokens, passwords, and sensitive data, leading to unauthorized access to connected systems and data exfiltration.

🟠

Likely Case

Exposure of GitHub Actions secrets and repository data, potentially enabling further attacks on dependent systems and services.

🟢

If Mitigated

Limited exposure if secrets are properly masked and logs are restricted, though the malicious code execution still occurs.

🌐 Internet-Facing: HIGH - GitHub Actions run in cloud environments and process code from potentially untrusted sources.

🏢 Internal Only: MEDIUM - Internal repositories are still vulnerable if using the compromised action, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: YES

Unauthenticated Exploit: ✅ No

Complexity: LOW

The attack was already weaponized by the threat actor who injected malicious code. Exploitation occurs automatically when vulnerable action versions run.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v46 and later

Vendor Advisory: https://github.com/tj-actions/changed-files/security/advisories

Restart Required: No

Instructions:

1. Update your GitHub Actions workflow YAML files to use tj-actions/changed-files@v46 or later. 2. Replace any references to v1 through v45.0.7 with v46+. 3. Review and rotate all exposed secrets.

🔧 Temporary Workarounds

Pin to safe commit hash

all

Pin the action to a known safe commit hash instead of using vulnerable tags

uses: tj-actions/changed-files@a1b2c3d4e5f678901234567890abcdef12345678

Disable changed-files action temporarily

all

Remove or comment out the changed-files action from workflows until patched

# uses: tj-actions/changed-files@v45

🧯 If You Can't Patch

Immediately rotate all secrets that could have been exposed through GitHub Actions
Enable GitHub Actions secret masking and implement strict log filtering

🔍 How to Verify

Check if Vulnerable:

Check your .github/workflows/*.yml files for lines containing 'tj-actions/changed-files@' with version v1 through v45.0.7

Check Version:

grep -r 'tj-actions/changed-files@' .github/workflows/

Verify Fix Applied:

Confirm workflow files now reference tj-actions/changed-files@v46 or later, or a specific safe commit hash

📡 Detection & Monitoring

Log Indicators:

Unusual network connections from GitHub Actions runners
Suspicious file reads or data exfiltration in action logs
Execution of unexpected updateFeatures code

Network Indicators:

Outbound connections to unknown domains from GitHub Actions environments

SIEM Query:

source="github-actions" AND (message="*changed-files*" OR message="*updateFeatures*")

📊 Metadata

CVE ID: CVE-2025-30066

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-506

EPSS Score: 86.6% exploit probability (99.4th percentile)

CISA KEV: Actively Exploited added Mar 18, 2025

Published: March 15, 2025

Last Updated: November 5, 2025

🔗 References

https://blog.gitguardian.com/compromised-tj-actions/ Exploit,Third Party Advisory
https://github.com/chains-project/maven-lockfile/pull/1111 Issue Tracking
https://github.com/espressif/arduino-esp32/issues/11127 Issue Tracking
https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193 Product
https://github.com/modal-labs/modal-examples/issues/1100 Issue Tracking
https://github.com/rackerlabs/genestack/pull/903 Issue Tracking
https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28 Product
https://github.com/tj-actions/changed-files/issues/2463 Issue Tracking
https://github.com/tj-actions/changed-files/issues/2464 Issue Tracking
https://github.com/tj-actions/changed-files/issues/2477 Issue Tracking
https://news.ycombinator.com/item?id=43367987 Issue Tracking,Third Party Advisory
https://news.ycombinator.com/item?id=43368870 Issue Tracking,Third Party Advisory
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ Third Party Advisory
https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/ Mitigation,Third Party Advisory
https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463 Issue Tracking
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised Exploit,Mitigation,Third Party Advisory
https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond Third Party Advisory
https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack Third Party Advisory
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066 Third Party Advisory
https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066 Third Party Advisory,US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30066, you might also want to check these: