{"id":"CVE-2025-30066","details":"tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)","aliases":["GHSA-mrrh-fwg8-r2c3"],"modified":"2026-03-20T12:41:59.792481Z","published":"2025-03-15T06:15:12.193Z","references":[{"type":"WEB","url":"https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193"},{"type":"WEB","url":"https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066"},{"type":"ADVISORY","url":"https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/"},{"type":"ADVISORY","url":"https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066"},{"type":"ADVISORY","url":"https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond"},{"type":"ADVISORY","url":"https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/"},{"type":"ADVISORY","url":"https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack"},{"type":"ADVISORY","url":"https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=43367987"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=43368870"},{"type":"REPORT","url":"https://github.com/espressif/arduino-esp32/issues/11127"},{"type":"REPORT","url":"https://github.com/modal-labs/modal-examples/issues/1100"},{"type":"REPORT","url":"https://github.com/rackerlabs/genestack/pull/903"},{"type":"REPORT","url":"https://github.com/tj-actions/changed-files/issues/2463"},{"type":"REPORT","url":"https://github.com/tj-actions/changed-files/issues/2464"},{"type":"REPORT","url":"https://github.com/chains-project/maven-lockfile/pull/1111"},{"type":"REPORT","url":"https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463"},{"type":"REPORT","url":"https://github.com/tj-actions/changed-files/issues/2477"},{"type":"EVIDENCE","url":"https://blog.gitguardian.com/compromised-tj-actions/"},{"type":"EVIDENCE","url":"https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tj-actions/changed-files","events":[{"introduced":"0"},{"last_affected":"a284dc1814e3fd07f2e34267fc8f81227ed29fb8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"45.0.7"}]}}],"versions":["v1","v1.0.2","v1.0.3","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.2.0","v1.2.1","v1.2.2","v1.3.0","v1.3.1","v10","v10.1","v11","v11.1","v11.2","v11.3","v11.4","v11.5","v11.6","v11.7","v11.8","v11.9","v12","v12.1","v12.2","v15.1","v16","v17","v17.1","v17.2","v17.3","v18","v18.1","v18.2","v18.3","v18.4","v18.5","v18.6","v18.7","v19","v19.1","v19.2","v19.3","v2","v2.0.0","v2.0.1","v2.1","v20","v20.1","v20.2","v21","v22","v22.1","v22.2","v23","v23.1","v23.2","v24","v24.1","v25","v26","v26.1","v27","v28","v28.0.0","v29","v29.0.0","v29.0.1","v29.0.2","v29.0.3","v29.0.4","v29.0.5","v29.0.6","v29.0.7","v29.0.8","v29.0.9","v3","v3.1","v3.2","v3.3","v30","v30.0.0","v31","v31.0.0","v31.0.1","v31.0.2","v31.0.3","v32","v32.0.0","v32.0.1","v32.1.0","v32.1.1","v32.1.2","v33","v33.0.0","v34","v34.0.0","v34.0.1","v34.0.2","v34.0.3","v34.0.4","v34.0.5","v34.1.1","v34.2.0","v34.2.1","v34.2.2","v34.3.0","v34.3.1","v34.3.2","v34.3.3","v34.3.4","v34.4.0","v34.4.1","v34.4.2","v34.4.3","v34.4.4","v34.5.0","v34.5.1","v34.5.2","v34.5.3","v34.5.4","v34.6.0","v34.6.1","v34.6.2","v35.0.0","v35.0.1","v35.1.0","v35.1.1","v35.1.2","v35.2.0","v35.2.1","v35.3.0","v35.3.1","v35.3.2","v35.4.0","v35.4.1","v35.4.2","v35.4.3","v35.4.4","v35.5.0","v35.5.1","v35.5.2","v35.5.3","v35.5.4","v35.5.5","v35.5.6","v35.6.0","v35.6.1","v35.6.2","v35.6.3","v35.6.4","v35.7.0","v35.7.0-sec","v35.7.1","v35.7.10","v35.7.11","v35.7.12","v35.7.2","v35.7.3","v35.7.4","v35.7.5","v35.7.6","v35.7.7","v35.7.8","v35.7.9","v35.8.0","v35.9.0","v35.9.1","v35.9.2","v36","v36.0.0","v36.0.1","v36.0.10","v36.0.11","v36.0.12","v36.0.13","v36.0.14","v36.0.15","v36.0.16","v36.0.17","v36.0.18","v36.0.2","v36.0.3","v36.0.4","v36.0.5","v36.0.6","v36.0.7","v36.0.8","v36.0.9","v36.1.0","v36.2.0","v36.2.1","v36.3.0","v36.4.0","v36.4.1","v36.4.2","v37","v37.0.0","v37.0.1","v37.0.2","v37.0.3","v37.0.4","v37.0.5","v37.1.0","v37.1.1","v37.1.2","v37.2.0","v37.3.0","v37.4.0","v37.5.0","v37.5.1","v37.5.2","v37.6.0","v37.6.1","v38","v38.0.0","v38.1.0","v38.1.1","v38.1.2","v38.1.3","v38.2.0","v38.2.1","v38.2.2","v39","v39.0.0","v39.0.1","v39.0.2","v39.0.3","v39.1.0","v39.1.1","v39.1.2","v39.2.0","v39.2.1","v39.2.2","v39.2.3","v39.2.4","v4","v4.1","v4.2","v4.3","v4.4","v40","v40.0.0","v40.0.1","v40.0.2","v40.1.0","v40.1.1","v40.2.0","v40.2.1","v40.2.2","v40.2.3","v41","v41.0.0","v41.0.1","v41.1.0","v41.1.1","v41.1.2","v42","v42.0.0","v42.0.1","v42.0.2","v42.0.3","v42.0.4","v42.0.5","v42.0.6","v42.0.7","v42.1.0","v43","v43.0.0","v43.0.1","v44","v44.0.0","v44.0.1","v44.1.0","v44.2.0","v44.3.0","v44.4.0","v44.5.0","v44.5.1","v44.5.2","v44.5.3","v44.5.4","v44.5.5","v44.5.6","v44.5.7","v45","v45.0.0","v45.0.1","v45.0.2","v45.0.3","v45.0.4","v45.0.5","v45.0.6","v45.0.7","v45.0.8","v45.0.9","v5","v5.1","v5.2","v5.3","v6","v6.1","v6.2","v6.3","v7","v8","v8.1","v8.2","v8.3","v8.4","v8.5","v8.6","v8.7","v8.8","v8.9","v9","v9.1","v9.2","v9.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-30066.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}