Critical Supply Chain Attack on GitHub Action: CVE-2025-30066 Explained
Discover the recent supply chain compromise of the popular GitHub Action, tj-actions/changed-files, tracked as CVE-2025-30066. Learn about the vulnerability, its impact, and the necessary mitigation steps.
TL;DR
A popular third-party GitHub Action, tj-actions/changed-files
, was compromised in a supply chain attack (CVE-2025-30066). This vulnerability allows for the disclosure of sensitive information, including access keys and tokens. The issue has been patched in version v46.0.1
. CISA urges users to implement recommended security measures to mitigate risks.
Supply Chain Compromise of GitHub Action: CVE-2025-30066
A popular third-party GitHub Action, tj-actions/changed-files
, was recently compromised in a supply chain attack. This action is designed to detect changes in files within pull requests or commits. The vulnerability, tracked as CVE-2025-30066, allows for the disclosure of sensitive information, including:
- Valid access keys
- GitHub Personal Access Tokens (PATs)
- npm tokens
- Private RSA keys
This critical issue has been addressed and patched in version v46.0.1
.
CISA Advisory and Mitigation Steps
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog. CISA strongly urges users and organizations to implement the recommended security measures to mitigate this compromise and enhance the security of third-party actions.
Recommended Security Measures
To protect against this vulnerability, consider the following steps:
- Update to the Latest Version: Ensure that you are using the patched version
v46.0.1
oftj-actions/changed-files
. - Review and Rotate Secrets: Immediately review and rotate any potentially exposed secrets, such as access keys and tokens.
- Implement Security Hardening: Follow GitHub’s security hardening guidelines for using third-party actions.
Additional Resources
For further insights and guidance, refer to the following resources:
- GitHub Advisory on CVE-2025-30066
- GitHub Security Hardening for Actions
- tj-actions/changed-files GitHub Repository
- StepSecurity: Harden-Runner Detection
- Wiz: GitHub Action Supply Chain Attack
Reporting Incidents
Organizations are encouraged to report any incidents or anomalous activities related to this vulnerability to CISA’s 24/7 Operations Center at [email protected] or by calling (888) 282-0870.
Disclaimer: This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise.
For more details, visit the full article: CISA Alert on CVE-2025-30066