Cred leak from tj-actions (CVE-2025-30066)

iggy used a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

@BartoszCiesla thank you for removing this action! https://github.com/apache/iggy/commit/c026f4d52d6693ddb222f00e7455be419be4a8ca

I am reporting that credentials were leaked previously, and you may need to address this.

Output of an affected run:
  - https://github.com/apache/iggy/actions/runs/13865070412/job/38802271976

Please review.

Learn about the compromise on [StepSecurity](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) of [Semgrep](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/).

This issue has been assigned [CVE-2025-30066](https://nvd.nist.gov/vuln/detail/CVE-2025-30066)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cred leak from tj-actions (CVE-2025-30066) #1652

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cred leak from tj-actions (CVE-2025-30066) #1652

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions