Skip to content

Use of Vulnerable tj-actions/changed-files@v44 allows remote attackers to discover secrets by reading actions logs. #17213

New issue
New issue
Open
Open
Use of Vulnerable tj-actions/changed-files@v44 allows remote attackers to discover secrets by reading actions logs.#17213
@vishalkumar957039

Description

@vishalkumar957039
vishalkumar957039
opened on May 28, 2025

Hii

HIGH

The repository [code-423n4/code423n4.com](https://github.com/code-423n4/code423n4.com/blob/126a95e682dcf0b1e622759aa84d4569a48496a4/.github/workflows/validate.yml#L21) uses a vulnerable version of the GitHub Action tj-actions/changed-files@v44, which is affected by [CVE-2025-30066](GHSA-mrrh-fwg8-r2c3).
This version was compromised via a supply chain attack that exposed CI/CD secrets by printing them into GitHub Actions logs — publicly accessible in repositories with public workflows.

Vulnerability Details

  • Component: tj-actions/changed-files
  • Affected Version: v44 (falls within the vulnerable range <= 45.0.7)
  • Patched Version: >= 46.0.1
  • CVE: [CVE-2025-30066](GHSA-mrrh-fwg8-r2c3)
  • Risk Level: High
  • Impact: Exposure of GitHub secrets through malicious log injection.

The action was maliciously modified to run a Python script that extracted secrets from the runner’s memory and exfiltrated them via encoded logs.

Indicator of Compromise (IoC):

  • Malicious commit: 0e58ed8671d6b60d0890c21b07f8835ace038e67
  • Retroactively tagged versions: v1.0.0, v35.7.7-sec, v44.5.1

Steps to Reproduce

  1. Visit the vulnerable workflow reference:
    [validate.yml](https://github.com/code-423n4/code423n4.com/blob/126a95e682dcf0b1e622759aa84d4569a48496a4/.github/workflows/validate.yml#L21)

  2. Note the usage of:

    uses: tj-actions/changed-files@v44

  3. Versions prior to v46.0.1 (including v44) can trigger the compromised behavior.

  4. If executed during the threat window (March 14–15, 2025), logs could expose secrets.

Impact

If the repository executed any workflows referencing the vulnerable version between March 14–15, 2025, secrets such as:

  • GitHub tokens
  • Deployment credentials
  • API keys

...may have been logged publicly or leaked.

Remediation

  • Immediate Fix: Upgrade the action reference to the patched version:

    uses: tj-actions/[email protected]

  • Secret Audit:

    • Inspect logs from March 14–15 for suspicious base64-encoded strings.

    • Use:

      echo '<encoded>' | base64 -d | base64 -d

    • Revoke and rotate any exposed secrets.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions