CVE-2025-30066
Published: 15 March 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-30066 is a vulnerability in the tj-actions/changed-files GitHub Action affecting versions before 46, particularly tags v1 through v45.0.7. These tags were modified by a threat actor on 2025-03-14 and 2025-03-15 to point to commit 0e58ed8, which contained malicious updateFeatures code. The flaw enables remote attackers to discover secrets by reading GitHub Actions logs, earning a CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and mapping to CWE-506.
Any remote attacker can exploit this vulnerability without privileges or user interaction by accessing public GitHub Actions logs from repositories using the affected action versions. Successful exploitation allows extraction of sensitive secrets, such as tokens or credentials, exposed in the logs due to the malicious code in the tampered commit.
Advisories, including a GitGuardian blog post and GitHub documentation on security hardening for GitHub Actions, recommend updating to tj-actions/changed-files version 46 or later. Projects like chains-project/maven-lockfile, espressif/arduino-esp32, and modal-labs/modal-examples have documented the issue via pull requests and issues, urging pinning actions to verified commits and reviewing logs for exposure.
This incident highlights a real-world supply chain compromise through GitHub tag tampering by a threat actor, published on 2025-03-15.
Details
- CWE(s)
- KEV Date Added
- 18 March 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a supply chain compromise via GitHub Action tag tampering (T1195.002) that introduces malicious code exposing secrets in logs, directly facilitating credential access from files (T1552.001).