CVE-2025-30066 tj-actions CVE debrief

Who should care

Teams that maintain GitHub Actions workflows, DevSecOps and platform engineering groups, open-source maintainers, and any organization that depends on tj-actions/changed-files in CI/CD pipelines.

Technical summary

The supplied official records identify CVE-2025-30066 as malicious code embedded in the tj-actions/changed-files GitHub Action. The corpus does not provide a CVSS score or deeper exploit mechanics, but CISA classifies it as a known exploited vulnerability and directs affected users to apply mitigations per vendor guidance or stop using the product if mitigations cannot be applied.

Defensive priority

Urgent

Recommended defensive actions

• Determine whether any repositories, reusable workflows, or automation pipelines depend on tj-actions/changed-files.
• Follow the mitigation guidance referenced by CISA and the vendor official records.
• If mitigations are not available in your environment, discontinue use of the affected action.
• Apply CISA BOD 22-01 guidance where the affected workflow is used in cloud services.
• Track the official CVE and NVD records for updates and any additional remediation guidance.

Evidence notes

This debrief uses only the supplied CISA KEV metadata and the official CVE/NVD links included in the corpus. The corpus explicitly labels the issue as an embedded malicious code vulnerability for tj-actions/changed-files, marks it as a Known Exploited Vulnerability, and provides a mitigation deadline of 2025-04-08. No CVSS score or exploit narrative was supplied.

Official resources