icon

We found results for “

CVE-2025-30066

Date: March 14, 2025

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) According to the release notes in GitHub, the malicious commit (0e58ed8) has been removed from all tags and branches, and necessary measures have been implemented to prevent similar issues in the future. The tags up to 45.0.7 were still tagged with the CVE for users' awareness. Please refer to tj-actions GitHub repository for more details.

Severity Score

Related Resources (28)

Severity Score

Weakness Type (CWE)

Embedded Malicious Code

CWE-506

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us