CVE-2025-30066 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability

Exploit added

March 18, 2025

Action due

April 8, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-506	Embedded Malicious Code

Known Affected Software Configurations

cpe:2.3:a:tj-actions:changed-files:29.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:30.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:17:::::::*
cpe:2.3:a:tj-actions:changed-files:23.2:::::::*
cpe:2.3:a:tj-actions:changed-files:18:::::::*
cpe:2.3:a:tj-actions:changed-files:14.7:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.8:::::::*
cpe:2.3:a:tj-actions:changed-files:11.7:::::::*
cpe:2.3:a:tj-actions:changed-files:18.4:::::::*
cpe:2.3:a:tj-actions:changed-files:12.1:::::::*
cpe:2.3:a:tj-actions:changed-files:22.1:::::::*
cpe:2.3:a:tj-actions:changed-files:19:::::::*
cpe:2.3:a:tj-actions:changed-files:14.3:::::::*
cpe:2.3:a:tj-actions:changed-files:25:::::::*
cpe:2.3:a:tj-actions:changed-files:11.3:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.4:::::::*
cpe:2.3:a:tj-actions:changed-files:16:::::::*
cpe:2.3:a:tj-actions:changed-files:3.0.2:::::::*
cpe:2.3:a:tj-actions:changed-files:1.2.1:::::::*
cpe:2.3:a:tj-actions:changed-files:31.0.3:::::::*
cpe:2.3:a:tj-actions:changed-files:11.9:::::::*
cpe:2.3:a:tj-actions:changed-files:18.6:::::::*
cpe:2.3:a:tj-actions:changed-files:1.3.0:::::::*
cpe:2.3:a:tj-actions:changed-files:19.2:::::::*
cpe:2.3:a:tj-actions:changed-files:12:::::::*
cpe:2.3:a:tj-actions:changed-files:20:::::::*
cpe:2.3:a:tj-actions:changed-files:2.0.1:::::::*
cpe:2.3:a:tj-actions:changed-files:14.1:::::::*
cpe:2.3:a:tj-actions:changed-files:22:::::::*
cpe:2.3:a:tj-actions:changed-files:11.1:::::::*
cpe:2.3:a:tj-actions:changed-files:24.1:::::::*
cpe:2.3:a:tj-actions:changed-files:14.5:::::::*
cpe:2.3:a:tj-actions:changed-files:26:::::::*
cpe:2.3:a:tj-actions:changed-files:1.1.3:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.2:::::::*
cpe:2.3:a:tj-actions:changed-files:15.1:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.6:::::::*
cpe:2.3:a:tj-actions:changed-files:11.5:::::::*
cpe:2.3:a:tj-actions:changed-files:3.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:17.2:::::::*
cpe:2.3:a:tj-actions:changed-files:3.2:::::::*
cpe:2.3:a:tj-actions:changed-files:1.0.3:::::::*
cpe:2.3:a:tj-actions:changed-files:31.0.1:::::::*
cpe:2.3:a:tj-actions:changed-files:18.2:::::::*
cpe:2.3:a:tj-actions:changed-files:32.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:1.2.2:::::::*
cpe:2.3:a:tj-actions:changed-files:18.5:::::::*
cpe:2.3:a:tj-actions:changed-files:11:::::::*
cpe:2.3:a:tj-actions:changed-files:18.7:::::::*
cpe:2.3:a:tj-actions:changed-files:1.1.0:::::::*
cpe:2.3:a:tj-actions:changed-files:19.1:::::::*
cpe:2.3:a:tj-actions:changed-files:12.2:::::::*
cpe:2.3:a:tj-actions:changed-files:19.3:::::::*
cpe:2.3:a:tj-actions:changed-files:1.3.1:::::::*
cpe:2.3:a:tj-actions:changed-files:2.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:13.1:::::::*
cpe:2.3:a:tj-actions:changed-files:20.2:::::::*
cpe:2.3:a:tj-actions:changed-files:2.1:::::::*
cpe:2.3:a:tj-actions:changed-files:13:::::::*
cpe:2.3:a:tj-actions:changed-files:21:::::::*
cpe:2.3:a:tj-actions:changed-files:10:::::::*
cpe:2.3:a:tj-actions:changed-files:22.2:::::::*
cpe:2.3:a:tj-actions:changed-files:14.2:::::::*
cpe:2.3:a:tj-actions:changed-files:23.1:::::::*
cpe:2.3:a:tj-actions:changed-files:1.1.2:::::::*
cpe:2.3:a:tj-actions:changed-files:23:::::::*
cpe:2.3:a:tj-actions:changed-files:14.4:::::::*
cpe:2.3:a:tj-actions:changed-files:24:::::::*
cpe:2.3:a:tj-actions:changed-files:11.2:::::::*
cpe:2.3:a:tj-actions:changed-files:26.1:::::::*
cpe:2.3:a:tj-actions:changed-files:14.6:::::::*
cpe:2.3:a:tj-actions:changed-files:28.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:1.0.2:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.1:::::::*
cpe:2.3:a:tj-actions:changed-files:14:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.3:::::::*
cpe:2.3:a:tj-actions:changed-files:11.4:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.5:::::::*
cpe:2.3:a:tj-actions:changed-files:15:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.7:::::::*
cpe:2.3:a:tj-actions:changed-files:1.2.0:::::::*
cpe:2.3:a:tj-actions:changed-files:29.0.9:::::::*
cpe:2.3:a:tj-actions:changed-files:17.1:::::::*
cpe:2.3:a:tj-actions:changed-files:3.0.1:::::::*
cpe:2.3:a:tj-actions:changed-files:11.6:::::::*
cpe:2.3:a:tj-actions:changed-files:3.1:::::::*
cpe:2.3:a:tj-actions:changed-files:17.3:::::::*
cpe:2.3:a:tj-actions:changed-files:3.3:::::::*
cpe:2.3:a:tj-actions:changed-files:1.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:31.0.0:::::::*
cpe:2.3:a:tj-actions:changed-files:18.1:::::::*
cpe:2.3:a:tj-actions:changed-files:31.0.2:::::::*
cpe:2.3:a:tj-actions:changed-files:11.8:::::::*
cpe:2.3:a:tj-actions:changed-files:18.3:::::::*
cpe:2.3:a:tj-actions:changed-files:-:::::::*
cpe:2.3:a:tj-actions:changed-files:1.0.1:::::::*
cpe:2.3:a:tj-actions:changed-files:1.1.1:::::::*
cpe:2.3:a:tj-actions:changed-files:10.1:::::::*
cpe:2.3:a:tj-actions:changed-files:13.2:::::::*
cpe:2.3:a:tj-actions:changed-files:20.1:::::::*

Details

Source:
NVD

Published:
March 15, 2025

Updated:
March 19, 2025

Risk information

CVSS v3

Base score:
8.6

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v2

Not defined