
We found results for “”
CVE-2025-30066
Date: March 14, 2025
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) According to the release notes in GitHub, the malicious commit (0e58ed8) has been removed from all tags and branches, and necessary measures have been implemented to prevent similar issues in the future. The tags up to 45.0.7 were still tagged with the CVE for users' awareness. Please refer to tj-actions GitHub repository for more details.
Severity Score
Related Resources (28)
Severity Score
Weakness Type (CWE)
Embedded Malicious Code
CWE-506CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |