CVE-2025-30066

Name of the Vulnerable Software and Affected Versions tj-actions/changed-files versions 1 through 45.0.7

Description The tj-actions/changed-files GitHub Action was compromised, allowing remote attackers to discover secrets by reading actions logs. The compromise occurred between March 14 and March 15, 2025, due to a malicious commit (0e58ed8671d6b60d0890c21b07f8835ace038e67) being retroactively applied to multiple version tags. This malicious code executed a Python script that extracted secrets from the Runner Worker process memory and logged them, potentially exposing API keys, AWS keys, GitHub tokens, and RSA keys. The attack affected over 23,000 repositories. The malicious script connected to gist.githubusercontent.com to retrieve and execute a script (memdump.py) designed to extract sensitive information. Public repositories were at higher risk due to the potential for exposed secrets in publicly accessible logs.

Recommendations For versions 1 through 45.0.7, review workflows executed between March 14 and March 15, 2025, for unexpected output in the changed-files section. If suspicious output is found, decode it and rotate any exposed secrets immediately. Update workflows referencing the compromised commit to avoid using the vulnerable version. If using tagged versions, no action is required as the tags have been updated. As a precaution, rotate any potentially exposed secrets.