All intelligence
// vulnerability record
live · NVDCVE-2025-30066
HIGHKEVpublished 2025-03-15 06:15 UTC · 1 year ago · modified 2026-06-17 09:08 UTC
8.6
CVSS / 10
// description
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
// required action (CISA KEV)
Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
added 2025-03-18 00:00 UTC
// weaknesses (CWE)
- CWE-506
- NVD-CWE-Other
// references (21)
- https://blog.gitguardian.com/compromised-tj-actions/
- https://github.com/chains-project/maven-lockfile/pull/1111
- https://github.com/espressif/arduino-esp32/issues/11127
- https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193