Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN148

_____________________________________________________________________

DATE                : 19/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running
                 tj-actions/changed-files (GitHub Actions) versions
                               prior to 46.0.1.

=====================================================================
https://github.com/tj-actions/changed-files?tab=readme-ov-file#readme
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
_____________________________________________________________________

Warning

Security Alert: A critical security issue was identified in this
action due to a compromised commit.

This commit has been removed from all tags and branches, and
necessary measures have been implemented to prevent similar issues
in the future.
Action Required:

    Review your workflows executed between March 14 and March 15.
If you notice unexpected output under the changed-files section,
decode it using the following command:
echo 'xxx' | base64 -d | base64 -d

    If the output contains sensitive information (e.g., tokens or
secrets), revoke and rotate those secrets immediately.
    If your workflows reference this commit directly by its SHA,
you must update them immediately to avoid using the compromised
version.

    If you are using tagged versions (e.g., v35, v44.5.1), no action
is required as these tags have been updated and are now safe to
use.

Additionally, as a precaution, we recommend rotating any secrets
that may have been exposed during this timeframe to ensure the
continued security of your workflows.

_____________________________________________________________________


tj-actions changed-files through 45.0.7 allows remote attackers to
discover secrets by reading actions logs.

High severity GitHub Reviewed Published Mar 15, 2025 to the GitHub
Advisory Database • Updated Mar 17, 2025

Vulnerability details

Package
tj-actions/changed-files (GitHub Actions)

Affected versions
<= 45.0.7

Patched versions
46.0.1


Description

tj-actions changed-files through 45.0.7 allows remote attackers to
discover secrets by reading actions logs. (The tags v1 through
v45.0.7 were not originally affected, but were modified by a
threat actor to point at commit 0e58ed8, which contains the
malicious updateFeatures code.) This has been patched in v46.0.1.

This supply chain attack was discovered by StepSecurity
Harden-Runner.


References

    https://nvd.nist.gov/vuln/detail/CVE-2025-30066
    tj-actions/changed-files#2463
    https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
    https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised
    https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
    chains-project/maven-lockfile#1111
    rackerlabs/genestack#903
    https://news.ycombinator.com/item?id=43367987
    https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
    espressif/arduino-esp32#11127
    modal-labs/modal-examples#1100
    tj-actions/changed-files#2464
    https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
    https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
    https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
    https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
    https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
    tj-actions/changed-files#2477
    https://github.com/tj-actions/changed-files/releases/tag/v46.0.1


Published by the National Vulnerability Database Mar 15, 2025
Published to the GitHub Advisory Database Mar 15, 2025
Reviewed Mar 15, 2025
Last updated Mar 17, 2025

Severity
High

8.6/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS score
(20th percentile)

Weaknesses
CWE-506

CVE ID
CVE-2025-30066

GHSA ID
GHSA-mrrh-fwg8-r2c3

Source code
tj-actions/changed-files


Credits

    @varunsh-coder varunsh-coder Analyst




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================