tj-actions/changed-files GitHub Action Memory Dump Vulnerability Allowing Secret Exposure

A vulnerability in the GitHub Action 'tj-actions/changed-files' was introduced by a malicious commit that retroactively updated all version tags to point to the compromised code. This vulnerability, which has been assigned CVE-2025-30066, allows for the unauthorized dumping of CI/CD secrets from the GitHub Actions runner's memory. The leaked secrets are then printed in the workflow logs, where they can be accessed by anyone.

Impact

The vulnerability leads to the unauthorized exposure of sensitive secrets in public repository logs, where they can be accessed by anyone. In private repositories, while the logs are not public, the leaked secrets are still accessible to those with the appropriate permissions.

Reproduction

The vulnerability can be reproduced by using a version of 'tj-actions/changed-files' that points to the malicious commit '0e58ed8'. When the action is executed, it will download and run a Python script that scans the runner's memory for secrets, encodes them in base64, and prints them out. This behavior can be observed in the logs of the workflow run.

Remediation

Users should immediately stop using 'tj-actions/changed-files' and replace it with 'step-security/changed-files', a secure alternative maintained by StepSecurity. After updating the action, it's crucial to audit the repository for any leaked secrets and rotate them as necessary.