External risk intelligence

TJ-Actions Changed-Files: Secret Disclosure Risk in Workflow Logs.

CVE advisoryKnown Exploit

CVE-2025-30066

A vulnerability in a GitHub Action allows remote attackers to discover secrets within workflow logs. This impacts organizations using the affected component, posing a risk of sensitive data exposure, which could compromise systems and operations.

1Halo Surface Signal

Tj Actions Changed Files

45.0.7 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2025-30066

The vulnerability exists within a build-time GitHub Action used in CI/CD pipelines. It is not an internet-facing service, web application, or edge gateway. The exposure is limited to the internal execution environment of development and build processes, making it isolated from public network traffic.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the tj-actions/changed-files component, impacting organizations that utilize this tool in their development workflows. The flaw allows for unauthorized access to sensitive information, creating significant business risk. This could lead to the exposure of critical data, potentially affecting system integrity and operational continuity.

tj-actions/changed-files component
Discovers secrets by reading action logs
Exposure of sensitive data and credentials

Attack Path

How an attacker could exploit the issue

A malicious version of the `tj-actions/changed-files` GitHub Action was published, allowing attackers to access secrets from workflow logs. Organizations using this action could have sensitive information compromised, including API keys and private keys. This exposure could lead to further unauthorized access and potential data breaches.

Action is configured in workflows.
Attackers exploit workflow logs.
Secrets are exposed to attackers.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability involves a compromised third-party software component used in development workflows. Attackers could potentially access sensitive information, such as access keys and tokens, by exploiting this issue. The risk is to the integrity of development pipelines and the potential exposure of critical organizational secrets.

Low attacker skill level required.
Malicious code execution in workflows.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization's affected assets should be identified to understand the scope of the potential impact. This involves pinpointing where the tj-actions/changed-files tool was utilized within workflows, as it allowed remote attackers to discover secrets by reading action logs. Remediation efforts should focus on reducing exposure to these logs and applying the vendor-provided fix to prevent further unauthorized access to sensitive information. Once remediation is applied, validating the fix and monitoring for any related security incidents is crucial.

Find affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is the tj-actions/changed-files GitHub Action and its function in development?

The tj-actions/changed-files is a GitHub Action that identifies files modified within a repository. It automates tasks by providing details about changes during the software development lifecycle.

What type of vulnerability is CVE-2025-30066, and what is its weakness class?

CVE-2025-30066 is a CWE-506 vulnerability, specifically involving hard-coded credentials. A compromised version of the tj-actions/changed-files action enabled remote attackers to uncover secrets through action logs, leading to sensitive information exposure.

How can an attacker exploit the tj-actions/changed-files vulnerability?

An attacker can exploit this vulnerability by using a malicious version of the tj-actions/changed-files action. This malicious code allows them to read action logs, thereby discovering sensitive secrets that may have been processed or logged during the workflow execution.

What is the relevance of CVE-2025-30066 and its impact, considering Halo Surface Signal?

CVE-2025-30066 is relevant due to its potential to expose secrets like API keys and tokens from GitHub Actions workflow logs. Halo classifies this as an external exposure risk, although its impact is limited to the internal execution environment of development and build processes.

What practical steps should an organization take to respond to this vulnerability?

Organizations should identify all instances where tj-actions/changed-files is used in workflows. Implement the vendor-provided fix, reduce exposure to action logs where possible, and then verify the remediation and monitor for any related security incidents.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.