8.6 CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
https://nvd.nist.gov/vuln/detail/CVE-2025-30066
Categories
CWE-506 : Embedded Malicious Code
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
CWE-NVD-Other
References
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:* |
|
<= 45.0.7 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 442 |
Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain. |
High |
| 448 |
Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop. |
High |
| 636 |
Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover. |
High |
MITRE
Techniques
| id |
description |
| T1001.002 |
Data Obfuscation: Steganography |
| T1027.003 |
Obfuscated Files or Information: Steganography |
| T1027.004 |
Obfuscated Files or Information: Compile After Delivery |
| T1027.009 |
Obfuscated Files or Information: Embedded Payloads |
| T1195.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
| T1195.002 |
Supply Chain Compromise: Compromise Software Supply Chain |
| T1218.001 |
Signed Binary Proxy Execution: Compiled HTML File |
| T1221 |
Template Injection |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1031 |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| M1040 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts. |
| M1016 |
Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. |
| M1016 |
Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. |
| M1021 |
Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files |
| M1017 |
Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
