What is the CVSS score of CVE-2025-30066?

CVE-2025-30066 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 92.0%.

Which versions of Changed Files are affected by CVE-2025-30066?

Organizations using tj-actions changed-files before 46 face significant risk from CVE-2025-30066 rated CVSS 8.6.

Is there a public PoC exploit available for CVE-2025-30066?

Yes, a public proof-of-concept exploit is available for CVE-2025-30066. Prioritise patching immediately. EPSS: 92.0%.

How to fix or mitigate CVE-2025-30066?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Changed Files CVE-2025-30066

HIGH

Embedded Malicious Code (CWE-506)

2025-03-15 cve@mitre.org

Information Disclosure Changed Files

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:31 vuln.today

Added to CISA KEV

Nov 05, 2025 - 19:27 cisa

CISA KEV

PoC Detected

Nov 05, 2025 - 19:27 vuln.today

Public exploit code

CVE Published

Mar 15, 2025 - 06:15 nvd

HIGH 8.6

DescriptionNVD

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

AnalysisAI

tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories.

Technical ContextAI

The CWE-506 supply chain attack modified existing mutable tags (v1 through v45.0.7) to reference commit 0e58ed8, which contained malicious updateFeatures code. The code extracted environment variables (including secrets) and wrote them to GitHub Actions workflow logs, making them accessible to anyone with read access.

RemediationAI

Pin all GitHub Actions to specific commit SHAs. Rotate ALL secrets that were available to workflows using this action. Audit workflow logs for secret exposure. Use GitHub's allow-listed actions feature.

CVE-2025-30066 vulnerability details – vuln.today

Back

Changed Files CVE-2025-30066

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code