How the CVE Works:
CVE-2025-30066 is a critical vulnerability in tj-actions/changed-files versions before 46. The issue arises due to malicious modifications made to the repository by a threat actor. Specifically, tags v1 through v45.0.7 were altered to point to a malicious commit (0e58ed8) containing harmful `updateFeatures` code. This code allows remote attackers to extract sensitive information, such as secrets, by reading GitHub Actions logs. The vulnerability was active on March 14-15, 2025, and affects any workflows using the compromised versions. The malicious code exploits the logging mechanism of GitHub Actions, enabling unauthorized access to sensitive data stored in environment variables or other secrets.
DailyCVE Form:
Platform: GitHub Actions
Version: tj-actions/changed-files < 46
Vulnerability: Information Disclosure
Severity: Critical
Date: 2025-03-15
What Undercode Say:
Exploitation:
- Exploit Vector: Attackers can exploit this vulnerability by running workflows using the compromised versions of tj-actions/changed-files. The malicious code logs sensitive data, which can then be extracted from GitHub Actions logs.
2. Proof of Concept (PoC):
- name: Checkout code uses: actions/checkout@v3 - name: Use vulnerable tj-actions/changed-files uses: tj-actions/[email protected]
Running this workflow with the vulnerable version will log secrets to the Actions output.
3. Exploit Command:
curl -s https://api.github.com/repos/<owner>/<repo>/actions/runs/<run_id>/logs | grep "secret"
Mitigation:
- Immediate Action: Upgrade to tj-actions/changed-files version 46 or later.
</li> </ol> - name: Use patched tj-actions/changed-files uses: tj-actions/changed-files@v46
2. Revoke Exposed Secrets: Rotate all secrets that may have been exposed in the logs.
3. Log Auditing: Review GitHub Actions logs for any suspicious activity or leaked secrets.gh run view <run_id> --log
4. Security Hardening: Implement workflow-level permissions to restrict access to sensitive data.
permissions: contents: read secrets: inherit
Detection:
1. Script to Detect Vulnerable Versions:
grep -r "tj-actions/changed-files@v" .github/workflows/ | grep -E "v(1|2[bash]|3[bash]|4[bash].|45.0.[bash])"
2. Monitor Logs for Anomalies:
gh api -X GET /repos/<owner>/<repo>/actions/runs --paginate | jq '.workflow_runs[] | select(.conclusion == "failure")'
Additional Analytics:
- CVSS 4.0 Score: 9.8 (Critical)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High (Confidentiality, Integrity, Availability)
By following these steps, organizations can mitigate the risk posed by CVE-2025-30066 and secure their GitHub Actions workflows.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-30066
Extra Source Hub:
UndercodeJoin Our Cyber World:
