CVE-2025-30066

HIGH KEV

tj-actions changed-files < 46 - Unauthenticated Secret Exposure via Malicious Commit

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-30066 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 18, 2025. EIP tracks 3 public exploits from researchers including Checkmarx, Super-Vulnerable-Org, OS-pedrogustavobilro.

AI-analyzed exploit summary This repository contains a detection tool for CVE-2025-30066, designed to scan GitHub Actions logs for secrets using the Checkmarx 2ms tool. It automates the process of fetching workflow runs, downloading logs, and analyzing them for potential secret leaks.

Description

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

Exploits (3)

nomisec SCANNER 1 stars
by Checkmarx · poc
https://github.com/Checkmarx/Checkmarx-CVE-2025-30066-Detection-Tool

This repository contains a detection tool for CVE-2025-30066, designed to scan GitHub Actions logs for secrets using the Checkmarx 2ms tool. It automates the process of fetching workflow runs, downloading logs, and analyzing them for potential secret leaks.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitHub Actions (version not specified)
Auth required
Prerequisites: GitHub API token with repository access · Checkmarx 2ms binary installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Super-Vulnerable-Org · poc
https://github.com/Super-Vulnerable-Org/compromised-action

This repository contains a functional proof-of-concept for CVE-2025-30066, demonstrating a compromised GitHub Action that executes malicious code via obfuscated eval statements. The exploit uses hex-encoded and base64-encoded payloads to bypass detection and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitHub Actions (simulated compromised action)
No auth needed
Prerequisites: GitHub Actions environment · Execution of the compromised action
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WRITEUP
by OS-pedrogustavobilro · poc
https://github.com/OS-pedrogustavobilro/test-changed-files

This repository contains a README referencing CVE-2025-30066, which pertains to a memory dump vulnerability in the GitHub Action 'tj-actions/changed-files' that could leak secrets. The content is a security advisory rather than an exploit PoC.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: tj-actions/changed-files GitHub Action
No auth needed
Prerequisites: Access to a repository using the vulnerable GitHub Action
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=43367987
Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=43368870

Scores

CVSS v3 8.6
EPSS 0.9154
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2025-03-18
VulnCheck KEV 2025-03-14
ENISA EUVD EUVD-2025-6565
CWE
CWE-506
Status published
Products (2)
GitHub Actions/tj-actions/changed-files 0 - 46.0.1GitHub Actions
tj-actions/changed-files < 45.0.7
Published Mar 15, 2025
KEV Added Mar 18, 2025
Tracked Since Feb 18, 2026