SB2025031746 - Embedded malicious code in tj-actions changed-files
Published: March 17, 2025 Updated: March 18, 2025
Security Bulletin ID
SB2025031746
Severity
High
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Embedded malicious code (backdoor) (CVE-ID: CVE-2025-30066)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor). A remote attacker can discover secrets by reading actions logs.
Note, the vulnerability is being exploited in the wild.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/chains-project/maven-lockfile/pull/1111
- https://github.com/espressif/arduino-esp32/issues/11127
- https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
- https://github.com/modal-labs/modal-examples/issues/1100
- https://github.com/rackerlabs/genestack/pull/903
- https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
- https://github.com/tj-actions/changed-files/issues/2463
- https://github.com/tj-actions/changed-files/issues/2464
- https://github.com/tj-actions/changed-files/issues/2477
- https://news.ycombinator.com/item?id=43367987
- https://news.ycombinator.com/item?id=43368870
- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
- https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
- https://web.archive.org/web/20250315060250/
- https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
- https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
- https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
- https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066