CVE-2025-30066 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
mitre	CNA	8.6 HIGH				CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 98%

Vendor	Product	Version
tj-actions	changed-files	𝑥 ≤ 45.0.7

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-506 - Embedded Malicious Code
The application contains code that appears to be malicious in nature.

Vulnerability Media Exposure

[ENGLISH] Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed
The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread in scope. "The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,"
Published: 2025-03-23T10:56:00+05:30
[GERMAN] Hacker liest Secrets aus CI/CD-Pipelines
Eine Kompromittierung der Github-Action „tj-actions/changed-files“, bei der ein Angreifer unautorisierten Zugriff auf das Repository erhielt und schädlichen Code einfügte, führte zu einer Sicherheitslücke. So konnte er sensible Informationen aus CI/CD-Pipelines auslesen.
Published: 2025-03-27T07:00:00+01:00

References

https://blog.gitguardian.com/compromised-tj-actions/

https://github.com/chains-project/maven-lockfile/pull/1111

https://github.com/espressif/arduino-esp32/issues/11127

https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193

https://github.com/modal-labs/modal-examples/issues/1100

https://github.com/rackerlabs/genestack/pull/903

https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28

https://github.com/tj-actions/changed-files/issues/2463

https://github.com/tj-actions/changed-files/issues/2464

https://github.com/tj-actions/changed-files/issues/2477

https://news.ycombinator.com/item?id=43367987

https://news.ycombinator.com/item?id=43368870

https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/

https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463

https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond

https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack

https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066