A critical security vulnerability (CVE-2025-30066) in the popular third-party GitHub Action, tj-actions/changed files, has been identified, putting sensitive information at risk. The flaw exposed valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys, prompting an urgent call for users to update to the patched version 46.0.1 to safeguard their repositories and workflows.
tj-actions/changed-files is a widely used GitHub Action that helps track file modifications in pull requests and commits, aiding developers in automating CI/CD workflows. However, a recent supply chain compromise allowed attackers to exploit a security weakness in this action, potentially leading to information disclosure risks. The vulnerability was discovered by StepSecurity Harden-Runner and has been promptly addressed in the latest patch.
The compromise, occurring between March 14 and March 15, 2025, involved malicious actors modifying versions v1 through v45.0.7 to point to commit 0e58ed8, which contained harmful code. This alteration enabled attackers to access action logs and possibly extract sensitive credentials. GitHub and the maintainer of tj-actions/changed-files acted swiftly to remove the compromised commit from all tags and branches, issuing a fix in version 46.0.1 and urging users to update promptly to prevent further exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog, highlighting the severity of the issue. CISA strongly recommends organizations to follow mitigation steps to enhance security when utilizing third-party GitHub Actions.
To mitigate the risk posed by the compromised action, users are advised to review workflows for any suspicious activity, update to the latest version (v46.0.1), rotate any potentially exposed secrets, and enhance security measures for third-party actions. The compromise of tj-actions/changed-files serves as a poignant example of supply chain attacks affecting the open-source community, underscoring the cascading impact a single compromised dependency can have across various sectors.
Key risks stemming from CVE-2025-30066 include the exposure of sensitive credentials, potential unauthorized access, and wide-scale repercussions due to the action’s popularity. In light of this incident, cybersecurity experts recommend regularly auditing dependencies, enabling GitHub’s security features, restricting workflow permissions, implementing zero-trust principles, and staying informed through security advisories.
In conclusion, the compromise of tj-actions/changed-files underscores the escalating risks associated with supply chain attacks in software development. By prioritizing security measures such as updating dependencies, restricting permissions, and monitoring for vulnerabilities, developers and organizations can mitigate similar attacks in the future. By adhering to CISA’s recommendations and proactive security practices, the risk of supply chain attacks can be significantly reduced, ensuring a more secure software development environment.