CVE-2025-30066 is a vulnerability classified under CWE-506 (Embedded Malicious Code) affecting the tj-actions changed-files GitHub Action prior to version 46. On March 14 and 15, 2025, threat actors compromised the repository by modifying tags v1 through v45.0.7 to point to a malicious commit (0e58ed8) containing harmful updateFeatures code. This malicious code enables remote attackers to read GitHub Actions logs, which often contain sensitive secrets such as API keys, tokens, or credentials used during CI/CD workflows. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 score is 8.6 (high), reflecting the high impact on confidentiality with no impact on integrity or availability. The scope is changed, indicating that the vulnerability affects components beyond the initially intended security boundary. No patches or fixes were linked at the time of publication, but upgrading to version 46 or later is implied to remediate the issue. No known exploits have been reported in the wild yet, but the potential for secret leakage poses a significant risk to organizations relying on this action for their automated workflows.

The primary impact of CVE-2025-30066 is the unauthorized disclosure of sensitive secrets embedded in GitHub Actions logs. For European organizations, this can lead to credential compromise, unauthorized access to cloud services, internal systems, or third-party APIs, and subsequent lateral movement or data breaches. Since many European companies rely on GitHub Actions for CI/CD pipelines, especially in software development, fintech, and technology sectors, the risk is substantial. The confidentiality breach could result in regulatory violations under GDPR if personal data or critical infrastructure credentials are exposed. Although the vulnerability does not affect integrity or availability directly, the leaked secrets can be used to compromise other systems, amplifying the overall security risk. The lack of required authentication and user interaction increases the attack surface, making automated exploitation feasible. Organizations with complex DevOps environments are particularly vulnerable if they have not updated to the fixed version or audited their workflows for malicious code.

To mitigate CVE-2025-30066, European organizations should immediately upgrade the tj-actions changed-files GitHub Action to version 46 or later, where the malicious commit is no longer referenced. Conduct a thorough audit of all GitHub Actions workflows to detect any unauthorized or suspicious changes, especially those referencing older tags or commits. Rotate all secrets and credentials that may have been exposed through GitHub Actions logs, including API keys, tokens, and certificates. Implement strict access controls and monitoring on GitHub repositories to prevent unauthorized modifications to workflow files and tags. Enable GitHub's security features such as Dependabot alerts and secret scanning to detect potential exposures early. Consider using ephemeral secrets or vault integrations to minimize secret exposure in logs. Finally, educate development teams about supply chain risks and enforce code review policies for workflow changes to reduce the risk of malicious code injection.