Ctrl + K
/ news / CVE
CVEPublished 2025-03-151 article on news6 live referencesNVD data

CVE-2025-30066

Vulnerability data via CVEDB (Shodan)

CISA KEVKnown exploited in the wild.
CISA action: tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
CVSS v3.1
8.6
HIGH
EPSS percentile
98
Exploit Prediction Scoring System · top 2% of all CVEs
Description

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)

Timeline
Published 2025-03-15

External references

NVDMITREExploit-DBGitHub PoCtrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2025-30066
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Tj-actions Changed-files"
All exposed Tj-actions Changed-files instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Changed-files"
HTTP body or banner mentions "Changed-files" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2025-30066
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-30066
Censys host search filtered to this CVE id.
grep.app
CVE-2025-30066
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-30066
GitHub code search for direct mentions.
Google dork
"CVE-2025-30066" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2025-300668 repos
step-security/harden-runnerTypeScript
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detect…
★ 1,210·updated today
mkbhardwas12/pwned-depsPython
Lockfile-first scanner for compromised npm/PyPI/Maven/Cargo/Go/RubyGems packages — OSV + curated extras feed, SLSA L3, locked-container CI
★ 164·updated 1mo ago
webpro255/awesome-ai-agent-attacksunknown
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
★ 28·updated 2mo ago
chains-project/ghasumGo
Checksums for GitHub Actions.
★ 19·updated today
tracebit-com/tracebit-community-actionTypeScript
The Tracebit Community GitHub Action helps developers detect intrusions and supply-chain attacks across their GitHub workflows and pipelines by deploying canary credentials.
★ 18·updated 2w ago
bridge-mind/BridgeSecurityShell
Find vulnerabilities. Ship secure. — Senior security-engineer skill for AI coding agents. OWASP Top 10, CWE Top 25, secrets detection, IaC + CI hardening, and a read-only auditor s…
★ 16·updated 2mo ago
cybrota/scharfGo
Static analysis tool to Identify and Fix GitHub Actions prone to Supply‑Chain Risks
★ 15·updated 1w ago
rayzhed/PWNPipeJavaScript
Offensive GitHub Actions attack surface analyzer : scan any repo for CI/CD vulnerabilities, pwn requests, supply chain risks, and secret leaks. Powered by 20 detection rules with…
★ 5·updated 1mo ago
Articles on news mentioning CVE-2025-30066