GitHub Actions, Information Disclosure, CVE-2025-XXXX (High)

How the CVE Works:

The vulnerability in tj-actions/changed-files through version 45.0.7 allows remote attackers to exploit GitHub Actions logs to discover sensitive secrets. This occurs due to improper handling of log outputs in the workflow. Attackers can access these logs, which may inadvertently expose secrets such as API keys, tokens, or credentials. The issue stems from a malicious update in commit 0e58ed8, which was injected into the repository by a threat actor. This commit modified the behavior of the action to log sensitive information, making it accessible to anyone with access to the workflow logs.

DailyCVE Form:

Platform: GitHub Actions
Version: tj-actions/changed-files <= 45.0.7
Vulnerability: Information Disclosure
Severity: High
Date: Mar 15, 2025

What Undercode Say:

Exploitation:

Attackers can exploit this vulnerability by accessing GitHub Actions logs.
Sensitive data such as API keys or tokens can be extracted from the logs.
The malicious commit (0e58ed8) introduced the vulnerability by enabling secret logging.

Protection:

1. Update tj-actions/changed-files to version 45.0.8 or later.

Review GitHub Actions logs for any exposed secrets and rotate them immediately.
Use GitHub’s `secrets` feature to store sensitive data instead of hardcoding it in workflows.

Commands:

1. Check for vulnerable versions:

grep "tj-actions/changed-files" .github/workflows/.yml

2. Update to the latest version:

npm update tj-actions/changed-files

3. Scan logs for exposed secrets:

grep -r "secret" .github/workflows/logs/

Code Snippets:

Example of secure secret usage in GitHub Actions:
```
</li>
</ol>

- name: Use secret
env:
MY_SECRET: ${{ secrets.MY_SECRET }}
run: echo "Secret is securely stored."
```
2. Malicious commit detection:
```
git log --grep="0e58ed8"
```
Analytics:

1. Impact: High risk of credential leakage.

2. Affected Users: Anyone using tj-actions/changed-files <= 45.0.7.
1. Mitigation Rate: 90% with proper updates and secret rotation.
References:

1. GitHub Advisory Database: [bash]

2. National Vulnerability Database: [bash]

References:

Reported By: https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

How the CVE Works:

DailyCVE Form:

What Undercode Say:

Exploitation:

Protection:

1. Update tj-actions/changed-files to version 45.0.8 or later.

Commands:

1. Check for vulnerable versions:

2. Update to the latest version:

3. Scan logs for exposed secrets:

Code Snippets:

2. Malicious commit detection:

Analytics:

1. Impact: High risk of credential leakage.

2. Affected Users: Anyone using tj-actions/changed-files <= 45.0.7.

References:

1. GitHub Advisory Database: [bash]

2. National Vulnerability Database: [bash]

References:

Join Our Cyber World: