CVE-2025-30066 — AI Deep Analysis Summary

🚨 **Essence**: `tj-actions/changed-files` (v46 and below) contains malicious code. 📉 **Consequences**: Attackers can read operation logs to steal secrets.…

🛡️ **Root Cause**: CWE-506 (Software Fault Injection). The flaw is intentional malicious code embedded in the action that dumps memory content to the app, exposing secrets.

👥 **Affected**: Users of `tj-actions/changed-files` GitHub Action. Specifically versions **before v46**. The vendor is `tj-actions`.

💀 **Attacker Capabilities**: Remote attackers can access operation logs. They can extract **secrets** (API keys, tokens) that were previously exposed to logs due to the vulnerability.

🔓 **Exploitation Threshold**: **Low**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication, no user interaction, and network-accessible. Very easy to exploit.

🔍 **Public Exp/PoC**: Yes. A test repo exists (`OS-pedrogustavobilro/test-changed-files`) and a detection tool (`Checkmarx-CVE-2025-30066-Detection-Tool`) is available to scan for risky actions and exposed secrets.

🔎 **Self-Check**: Use the **Checkmarx Detection Tool** to scan GitHub workflows. Look for specific risky actions (`reviewdog/*`) and suspicious code snippets. Check logs for memory dumps.

✅ **Official Fix**: Yes. The issue is tracked in GitHub Issue #2464. The malicious code has been removed. **Update to v46 or later** to mitigate.

🚧 **No Patch Workaround**: If you cannot update immediately, **audit your workflow logs** for exposed secrets. Rotate any potentially compromised credentials immediately. Remove the vulnerable action version.

🔥 **Urgency**: **CRITICAL**. High severity (C:H), low exploitation barrier. Immediate patching to v46+ and secret rotation is required to prevent data leakage.