Post

Critical Supply Chain Attack on GitHub Action: CVE-2025-30066 Explained

Discover the recent supply chain compromise of the popular GitHub Action, tj-actions/changed-files, tracked as CVE-2025-30066. Learn about the vulnerability, its impact, and the necessary mitigation steps.

Critical Supply Chain Attack on GitHub Action: CVE-2025-30066 Explained

TL;DR

A popular third-party GitHub Action, tj-actions/changed-files, was compromised in a supply chain attack (CVE-2025-30066). This vulnerability allows for the disclosure of sensitive information, including access keys and tokens. The issue has been patched in version v46.0.1. CISA urges users to implement recommended security measures to mitigate risks.

Supply Chain Compromise of GitHub Action: CVE-2025-30066

A popular third-party GitHub Action, tj-actions/changed-files, was recently compromised in a supply chain attack. This action is designed to detect changes in files within pull requests or commits. The vulnerability, tracked as CVE-2025-30066, allows for the disclosure of sensitive information, including:

  • Valid access keys
  • GitHub Personal Access Tokens (PATs)
  • npm tokens
  • Private RSA keys

This critical issue has been addressed and patched in version v46.0.1.

CISA Advisory and Mitigation Steps

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog. CISA strongly urges users and organizations to implement the recommended security measures to mitigate this compromise and enhance the security of third-party actions.

To protect against this vulnerability, consider the following steps:

  1. Update to the Latest Version: Ensure that you are using the patched version v46.0.1 of tj-actions/changed-files.
  2. Review and Rotate Secrets: Immediately review and rotate any potentially exposed secrets, such as access keys and tokens.
  3. Implement Security Hardening: Follow GitHub’s security hardening guidelines for using third-party actions.

Additional Resources

For further insights and guidance, refer to the following resources:

Reporting Incidents

Organizations are encouraged to report any incidents or anomalous activities related to this vulnerability to CISA’s 24/7 Operations Center at [email protected] or by calling (888) 282-0870.

Disclaimer: This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise.

For more details, visit the full article: CISA Alert on CVE-2025-30066

References

This post is licensed under CC BY 4.0 by the author.