CVE-2025-30066 is a high-severity vulnerability affecting the 'changed-files' component of the 'tj-actions' project, specifically versions prior to 46 (tags v1 through v45.0.7). The vulnerability arises from the presence of embedded malicious code introduced by a threat actor who modified the source code repository to point to a commit (0e58ed8) containing malicious 'updateFeatures' code. This malicious code allows remote attackers to read action logs, thereby discovering secrets that should remain confidential. The vulnerability is classified under CWE-506, which pertains to embedded malicious code, indicating that the malicious payload was intentionally inserted into the legitimate codebase. The CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects that the vulnerability is remotely exploitable over the network without any authentication or user interaction, has low attack complexity, and results in a complete confidentiality breach with a scope change (meaning the impact extends beyond the vulnerable component). The integrity and availability of the system are not directly affected. The lack of available patches at the time of publication increases the risk, as users of affected versions remain exposed. The vulnerability is particularly dangerous because it leverages supply chain compromise tactics, where the threat actor infiltrates the development or distribution process to embed malicious code, making detection and mitigation more challenging. Since the malicious code exposes secrets via logs, any sensitive credentials, tokens, or private data stored or referenced in these logs can be leaked, potentially leading to further attacks or unauthorized access.

For European organizations, the impact of CVE-2025-30066 can be significant, especially for those relying on the 'tj-actions' changed-files tool within their CI/CD pipelines or software development workflows. Exposure of secrets through logs can lead to credential theft, unauthorized access to internal systems, and lateral movement within networks. This can compromise sensitive data, intellectual property, and customer information, leading to regulatory non-compliance under GDPR and other data protection laws. The supply chain nature of the attack also undermines trust in software development processes, potentially causing operational disruptions and reputational damage. Organizations using automated workflows that integrate this vulnerable component risk widespread exposure if secrets such as API keys, tokens, or passwords are logged and accessible remotely. The scope change indicated by the CVSS score suggests that the compromise can affect multiple components or systems beyond the initial vulnerable package, amplifying the potential damage. Given the remote, unauthenticated exploit vector, attackers can leverage this vulnerability without needing prior access, increasing the threat level.

1. Immediate upgrade: Organizations should upgrade to version 46 or later of the 'changed-files' component, where the malicious code has been removed and the vulnerability addressed. 2. Codebase audit: Conduct a thorough audit of the entire CI/CD pipeline and related repositories to detect any other signs of tampering or embedded malicious code. 3. Secret management: Avoid storing secrets in logs or plaintext within workflows. Use dedicated secret management tools and environment variables that do not get logged. 4. Access controls: Restrict access to action logs and ensure that logs are stored securely with proper encryption and access permissions. 5. Supply chain security: Implement supply chain security best practices such as verifying commit signatures, using reproducible builds, and monitoring dependencies for unexpected changes. 6. Incident response readiness: Prepare for potential incident response by monitoring for unusual access patterns to logs and secrets, and have procedures ready to rotate compromised credentials immediately. 7. Network segmentation: Limit network exposure of systems that handle CI/CD logs to reduce the attack surface. 8. Monitoring and alerting: Deploy monitoring solutions to detect anomalous activities related to the use of 'tj-actions' changed-files and access to logs.