Browse all 5 CVE security advisories affecting tj-actions. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Tj-actions is a GitHub Actions workflow library designed to automate CI/CD processes, primarily used for continuous integration and deployment tasks. Historically, tj-actions has been associated with multiple remote code execution (RCE) vulnerabilities, often stemming from improper input validation and unsafe deserialization practices. Cross-site scripting (XSS) has also been documented in several instances, typically through insufficient output encoding. The library has experienced multiple security incidents, including five CVEs that highlight recurring issues in dependency handling and command injection flaws. These vulnerabilities have allowed attackers to execute arbitrary code within build environments, posing significant risks to organizations using tj-actions in their development pipelines.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-54416 | tj-actions/branch-names Contains Command Injection Vulnerability — branch-namesCWE-77 | 9.1 | Critical | 2025-07-26 |
| CVE-2025-30066 | changed-files 安全漏洞 — changed-filesCWE-506 | 8.6 | High | 2025-03-15 |
| CVE-2023-52137 | GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames — verify-changed-filesCWE-20 | 7.7 | High | 2023-12-29 |
| CVE-2023-51664 | tj-actions/changed-files command injection in output filenames — changed-filesCWE-77 | 7.3 | High | 2023-12-27 |
| CVE-2023-49291 | Improper Sanitization of Branch Name Leads to Arbitrary Code Injection — branch-namesCWE-20 | 9.3 | Critical | 2023-12-04 |
This page lists every published CVE security advisory associated with tj-actions. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.