CVE-2025-30066 is a vulnerability classified under CWE-506 (Embedded Malicious Code) affecting the tj-actions changed-files project, specifically versions before 46. The vulnerability stems from a malicious commit (0e58ed8) introduced by a threat actor into versions v1 through v45.0.7 during March 14-15, 2025. This commit embedded malicious code within the updateFeatures function, which caused the action logs generated by the changed-files GitHub Action to leak sensitive secrets. Because the logs are accessible remotely, attackers can read them without any authentication or user interaction, leading to a confidentiality breach. The CVSS 3.1 score is 8.6 (high), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and a scope change with high confidentiality impact but no impact on integrity or availability. The vulnerability affects CI/CD pipelines and development workflows that rely on tj-actions changed-files for detecting changed files in repositories. The malicious code's presence in official tags means many users could have unknowingly deployed compromised workflows, increasing the risk of secret leakage. Although no exploits are currently known in the wild, the potential for secret disclosure is significant, especially in environments where sensitive credentials or tokens are stored in GitHub Actions logs.

The primary impact of CVE-2025-30066 is the unauthorized disclosure of sensitive secrets such as API keys, tokens, or credentials stored or exposed in GitHub Actions logs. This can lead to further compromise of organizational assets, including cloud infrastructure, internal services, or third-party integrations. Since the vulnerability requires no authentication or user interaction, attackers can remotely access logs and extract secrets, potentially leading to lateral movement, data breaches, or service disruptions. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the immediate changed-files action, possibly impacting the entire CI/CD pipeline's security posture. Organizations relying on affected versions may face compliance violations, reputational damage, and operational risks if secrets are leaked. The lack of known exploits in the wild suggests that proactive patching can prevent exploitation, but the malicious commit's presence in official releases means many users might have been exposed unknowingly.

1. Immediately upgrade tj-actions changed-files to version 46 or later, which removes the malicious commit and fixes the vulnerability. 2. Audit all GitHub Actions logs generated between March 14-15, 2025, for any exposed secrets and rotate any credentials or tokens that may have been leaked. 3. Implement strict access controls on GitHub Actions logs to limit who can view sensitive information. 4. Use GitHub's secret scanning and monitoring tools to detect any leaked secrets in repositories or logs. 5. Employ ephemeral or short-lived secrets in CI/CD pipelines to minimize the impact of potential leaks. 6. Review and harden CI/CD workflows to avoid logging sensitive information unnecessarily. 7. Monitor threat intelligence sources for any emerging exploits targeting this vulnerability. 8. Consider implementing additional runtime security controls to detect anomalous access to logs or secrets. 9. Educate development and DevOps teams about the risks of embedded malicious code and the importance of verifying third-party action integrity.