AI description
CVE-2025-30066 is a vulnerability affecting tj-actions/changed-files. It allows remote attackers to discover secrets by reading GitHub Actions logs. Versions up to 45.0.7 are affected. The vulnerability arose because a threat actor modified tags in versions v1 through v45.0.7 to point to a compromised commit (0e58ed8). This commit contained malicious code that enabled unauthorized access to sensitive information within the Actions logs.
- Description
- tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.6
- Impact score
- 4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- Severity
- HIGH
Data from CISA
- Vulnerability name
- tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
- Exploit added on
- Mar 18, 2025
- Exploit action due
- Apr 8, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- cve@mitre.org
- CWE-506
- nvd@nist.gov
- NVD-CWE-Other
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
#snaphack📢📢📢📢 #buyingcontent #monkeyappgirls🔗 🔗 #crypto #snapchatleak #bitcoin฿#easymoney🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery CVE-2025-30066 + CVE-2025-30154 | CVSS 8.6 🎯 Targets: DockerHub, npm, AWS creds 🕵️♂️ Tactics: Fork PRs, dangling commits,‼‼‼ https:/
@savana_recovery
24 Mar 2025
124 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#snaphack📢📢📢📢 #buyingcontent #monkeyappgirls🔗 🔗 #crypto #snapchatleak #bitcoin฿#easymoney🌐 #purchasesnaphack🛎️🛎️ #Everyone #recovery CVE-2025-30066 + CVE-2025-30154 | CVSS 8.6 🎯 Targets: DockerHub, npm, AWS creds 🕵️♂️ Tactics: Fork PRs, dangling commits,‼‼‼ https:/
@savana_recovery
24 Mar 2025
143 Impressions
1 Retweet
0 Likes
0 Bookmarks
1 Reply
0 Quotes
On March 14, attackers compromised the popular GitHub Action tj-actions/changed-files, used in over 23,000 repositories. This high-impact breach (CVE-2025-30066) exposed countless projects to risk. While GitHub rolled back to a safe version, affected users must act fast. Learn h
@kaspersky
24 Mar 2025
1322 Impressions
0 Retweets
11 Likes
0 Bookmarks
0 Replies
0 Quotes
A supply chain attack initially aimed at Coinbase has expanded to compromise 218 GitHub repositories, exposing CI/CD secrets. Vulnerabilities CVE-2025-30066 and CVE-2025-30154 are linked. 🚨 #Coinbase #GitHub #USA link: https://t.co/KNPAdaAiGh https://t.co/saeN1qmaZT
@TweetThreatNews
23 Mar 2025
120 Impressions
0 Retweets
3 Likes
1 Bookmark
1 Reply
1 Quote
🚨 Coinbase dodged a bullet—but 218 repos weren’t so lucky. A GitHub supply chain attack hijacked tj-actions/changed-files, leaking secrets from 200+ projects. 🔍 CVE-2025-30066 + CVE-2025-30154 | CVSS 8.6 🎯 Targets: DockerHub, npm, AWS creds 🕵️♂️ Tactics: Fork PRs, dangling
@TheHackersNews
23 Mar 2025
31569 Impressions
100 Retweets
265 Likes
94 Bookmarks
5 Replies
7 Quotes
CVE-2025-30066 Secrets Disclosure Vulnerability in tj-actions Changed-Files Before Version 46 https://t.co/fv4WgBNNWM
@VulmonFeeds
22 Mar 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
22 Mar 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub Actions Supply Chain Attack (tj-actions & reviewdog) update: Team AXON dropped tools to detect secrets leaked via CVE-2025-30066 & CVE-2025-30154: - Secret Scanner - Log Fetcher (Linux/Win) Protect your repos https://t.co/xvmFwGHzH7 https://t.co/kKQEEBRx7b
@secharvesterx
22 Mar 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 GitHub Actions Exploit CVE-2025-30066 compromised thousands of repositories, exposing CI/CD secrets & enabling unauthorized access. How can you prevent such attacks? Our latest blog breaks it down + how OpsMx can help prevent such issues. Link 👉 https://t.co/pYVOM69OCq
@ops_mx
21 Mar 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️Update on the GitHub Actions Supply Chain Attack Hunters' Team AXON has released a tool designed to help security teams identify secrets compromised by CVE-2025-30066 & CVE-2025-30154 Whether you're responding to the incident or verifying your repos, this tool is for you
@0x_prostem
21 Mar 2025
35 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
GitHub Actions Supply Chain Attack (tj-actions & reviewdog) update: Team AXON dropped tools to detect secrets leaked via CVE-2025-30066 & CVE-2025-30154: 🔍 Secret Scanner 📦 Log Fetcher (Linux/Win) Protect your repos now: https://t.co/MJVP4YcsbD https://t.co/7ULwbITVZ
@team__axon
21 Mar 2025
312 Impressions
2 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
21 Mar 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
⚠️ DevOps Under Attack: GitHub Action Compromised On March 14, attackers compromised the popular GitHub Action tj-actions/changed-files, used in over 23,000 repositories. The malicious version exposed sensitive secrets and was assigned CVE-2025-30066. Although GitHub rolled it ht
@KasperskyKSA
21 Mar 2025
128 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
"tj-actions/changed-files" サプライチェーン攻撃(CVE-2025-30066)の検知と緩和 はてなブックマーク テクノロジー新着 https://t.co/mqSdK5jMiJ
@mohritaroh
20 Mar 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 GitHub Actions are under attack! A supply chain attack hit tj-actions/changed-files, leaking AWS keys, GitHub PATs & more. CISA confirms active exploitation. 🔹 CVE-2025-30066 (CVSS 8.6) 🔹 Attack spread via another compromised Action 🔹 Sensitive secrets exposed via log
@achi_tech
20 Mar 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise. The high-severity flaw, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code. https://t.co/G5Jao9zell https://t.co/vt4p1TWU61
@riskigy
20 Mar 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-30066 #tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability https://t.co/7Iwb25lW8u
@ScyScan
20 Mar 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA adds CVE-2025-30066 to its KEV catalog after a supply chain attack on tj-actions/changed-files leaks secrets from GitHub repos 🔑 Exposed: AWS keys, GitHub tokens, private keys & more 🔍 Security teams: Rotate secrets, replace affected actions, limit public access
@ChrisCipher
20 Mar 2025
61 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
19 Mar 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA advierte sobre explotación activa en GitHub Action Supply Chain Compromise. La falla de alta gravedad, identificada como CVE-2025-30066 tiene un puntaje CVSS: 8.6. #ciberseguridad #cybersecurity https://t.co/4q93DTtRtM
@EHCGroup
19 Mar 2025
22 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#exploit 1. CVE-2024-7014: Telegram EvilVideo Vulnerability https://t.co/9Qajyeyn9z 2. CVE-2025-30066: Embedded Malicious Code ("tj-actions/changed-files" Attack) https://t.co/q0LSW0BDk3 3. CVE-2024-0406: Path Traversal in mholt/archiver https://t.co/v5eRaEUVG9
@ksg93rd
19 Mar 2025
596 Impressions
2 Retweets
11 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨 #CISA warns of GitHub #supplychain attack: CVE-2025-30066 exploited to steal #AWS keys & #GitHub tokens via tj-actions/changed-files. Attackers injected malicious code into CI/CD workflows! 🔒 Update to v46.0.1 by April 4. Stay ahead with #ThreatIntel https://t.co/Y6mkYLV
@socradar
19 Mar 2025
18 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA added a high-severity vulnerability (CVE-2025-30066) linked to the GitHub Action tj-actions/changed-files to its KEV catalog. The #flaw allows remote attackers to access sensitive data via actions logs☝️👩💻 #vulnerability https://t.co/XE1bEpLooH
@manuelbissey
19 Mar 2025
37 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CISA has flagged a critical vulnerability (CVE-2025-30066) in GitHub Actions, exposing sensitive data through malicious code. Affected users must update to prevent exploitation. ⚠️ #GitHubSecurity #Vulnerability #USA link: https://t.co/9e6qlpK5TZ https://t.co/MsthXYnGrt
@TweetThreatNews
19 Mar 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
💬New Blog Post 👉 CVE-2025-30066 tj-actions/changed-files GitHub Action Compromise: Impacts on Software Supply Chain Security and ASPM - 03/19/ - https://t.co/2VpF9yN9SJ
@sec_phoenix
19 Mar 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA warns of a GitHub supply chain attack (CVE-2025-30066) exploiting tj-actions/changed-files! Update to v46.0.1 by April 4, 2025, to protect sensitive secrets. #CyberSecurity #GitHubBreach #CISAAlert #DevSecOps #Infosec #TruBitX https://t.co/y1rPD4r3Uj
@TruBitXOfficial
19 Mar 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA warns of a critical vulnerability (CVE-2025-30066) in tj-actions/changed-files GitHub Action. Sensitive info at risk! Update to version 46.0.1 to stay secure. 🔒 #GitHubSecurity #DataProtection #USA link: https://t.co/GqzCdIsYSd https://t.co/jDVmHCs7I7
@TweetThreatNews
19 Mar 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISAは、GitHub Actionsの「tj-actions/changed-files」における脆弱性(CVE-2025-30066)を警告。 攻撃者がアクションログを通じて機密情報にアクセスする可能性がある。影響を受けるユーザーは、2025年4月4日までに最新バージョン(46.0.1)への更新を推奨。 https://t.co/11dHVJp1n5
@01ra66it
19 Mar 2025
146 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 حضرت وكالة الأمن السيبراني والبنية التحتية الأمريكية (CISA) تكشف عن استغلال نشط لثغرة في GitHub Action، وهي tj-actions/changed-files، والتي تم إضافتها إلى قائمة الثغرات المعروفة. الثغرة ذات شدة عالية (CVE-2025-30066) تسمح بحقن شيفرة ضارة لتنفيذ عمليات عن بُعد. #الامن_السيبر…
@Cybercachear
19 Mar 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE Alert: tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability Exploited In The Wild🚨 Vulnerability Details: CVE-2025-30066 (CVSS 8.6/10) tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability Impact A successful exploit may… ht
@CyberxtronTech
19 Mar 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 GitHub Actions are under attack! A supply chain attack hit tj-actions/changed-files, leaking AWS keys, GitHub PATs & more. CISA confirms active exploitation. 🔹 CVE-2025-30066 (CVSS 8.6) 🔹 Attack spread via another compromised Action 🔹 Sensitive secrets exposed via log
@TheHackersNews
19 Mar 2025
75615 Impressions
75 Retweets
205 Likes
56 Bookmarks
5 Replies
1 Quote
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が、既知の悪用された脆弱性カタログに、FortiOS/FortiProxyの認証回避CVE-2025-24472とGitHub Action tj-actions/changed-filesの悪性コードCVE-2025-30066を追加。対応期限は通常の4/8。Fortiはランサムウェア悪用済。 https://t.co/JQnPJmC90H
@__kokumoto
18 Mar 2025
1240 Impressions
4 Retweets
16 Likes
2 Bookmarks
1 Reply
0 Quotes
🚨 Compromise of a popular third-party GitHub Action, tj-actions/changed-files, (CVE-2025-30066) allows remote attackers to discover secrets by reading actions logs. See our Alert for more 👉 https://t.co/bLr3Z6s9wu #Cybersecurity
@CISACyber
18 Mar 2025
5302 Impressions
21 Retweets
38 Likes
9 Bookmarks
0 Replies
1 Quote
Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 https://t.co/tXnL5tGXXn
@djhsecurity
18 Mar 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 https://t.co/4IeiqxuMyw
@TLITLansing
18 Mar 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added vulnerabilities for Fortinet FortiOS & FortiProxy, CVE-2025-24472, and GitHub, CVE-2025-30066, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/bJOgGeWmb8 & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec htt
@CISACyber
18 Mar 2025
11534 Impressions
58 Retweets
111 Likes
17 Bookmarks
5 Replies
4 Quotes
Malicious GutHub Action leads to credential leaks (#CVE-2025-30066); find out if you’re impacted and what to do, including free helper tools for #AppSec and #DevOps teams: https://t.co/ruvUyajJL5
@CheckmarxZero
18 Mar 2025
118 Impressions
3 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SECURITY ALERT: Certain GitHub Action files are compromised and can provide access to secrets. Find out more about CVE-2025-30066 and plug the gaps in your software supply chain by reading our latest blog post from the @CheckmarxZero team: https://t.co/DtksWnAetj https://t.co/
@Checkmarx
18 Mar 2025
90 Impressions
1 Retweet
3 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30066: GitHub Action Compromise Puts Over 23K CI/CD Secrets at Risk Incident related to Tj-actions/GitHub Action file changes used in over 23K repositories https://t.co/ptAS5X4mh8 https://t.co/0aWCP3ciyo
@freedomhack101
18 Mar 2025
32 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
18 Mar 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
💥 CVE-2025-30066 In software, trust is an invisible contract—one that was quietly broken last week. A widely used GitHub Action, tj-actions/changed-files, was compromised, exposing API keys, access tokens, and credentials across thousands of repositories. According to Endor… ht
@BarelTayouri
18 Mar 2025
40 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
💥 CVE-2025-30066 In software, trust is an invisible contract—one that was quietly broken last week. A widely used GitHub Action, tj-actions/changed-files, was compromised, exposing API keys, access tokens, and credentials across thousands of repositories. According to Endor… ht
@BarelTayouri
18 Mar 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
17 Mar 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
I have a feeling CVE-2025-30066 could have been prevented if the "tj-actions/changed-files" had the repository setting and the stolen PAT wasn't overprivileged. https://t.co/3Ov26TvIYh
@yarlob
17 Mar 2025
185 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
A supply chain compromise has exposed CI/CD secrets in over 23,000 repos via GitHub Action tj-actions/changed-files. Users urged to update and review workflows. CVE-2025-30066 assigned. ⚠️ #GitHub #AWS #USA link: https://t.co/rhuXCuZefG https://t.co/e6tEDWcnUk
@TweetThreatNews
17 Mar 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-30066
@transilienceai
17 Mar 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
GitHub Actionの「tj-actions/changed-files」が侵害される脆弱性(CVE-2025-30066) #セキュリティ対策Lab #セキュリティ #Security https://t.co/Npu1RttL6h
@securityLab_jp
17 Mar 2025
131 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New Threat Alert 🚨 A compromised GitHub Action (CVE-2025-30066) has exposed credentials in build logs and exfiltrated secrets. If you used tj-actions/changed-files between March 12-15, rotate your secrets ASAP. Full details from Sysdig TRT below. ⤵️ https://t.co/Dap5qDNF3i
@sysdig
15 Mar 2025
562 Impressions
3 Retweets
7 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 GitHub Action tj-actions/changed-files compromised on March 14, 2024, exposing secrets in public repos! This has been tracked as CVE-2025-30066. Recovery actions are essential. #GitHubSecurity #CVE2025 #USA link: https://t.co/NoTOp7XBid https://t.co/ReCymgRUpJ
@TweetThreatNews
15 Mar 2025
184 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-30066 🔴 HIGH (8.6) 🏢 tj-actions - changed-files 🏗️ 1 🔗 https://t.co/B3H0pZ11CC 🔗 https://t.co/rA0pZ6C7vM 🔗 https://t.co/yPZEhd8WrK 🔗 https://t.co/CjweW7Go1r 🔗 https://t.co/0365KnNQU3 #CyberCron #VulnAlert #InfoSec https://t.co/lN23GSC3yR
@cybercronai
15 Mar 2025
133 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "23B2BE4B-AC69-4088-9ABD-ACDB46ABAA9A",
"versionEndIncluding": "45.0.7"
}
],
"operator": "OR"
}
]
}
]