Tj Actions Tj Actions

  1. Vendors
  2. Tj Actions

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Tj Actions product.

RSS Feeds for Tj Actions security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Tj Actions products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Tj Actions Sorted by Most Security Vulnerabilities since 2018

Tj Actions Changed Files2 vulnerabilities

Tj Actions Branch Names1 vulnerability

Tj Actions Verify Changed Files1 vulnerability

Known Exploited Tj Actions Vulnerabilities

The following Tj Actions vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
CVE-2025-30066 Exploit Probability: 91.8% 		March 18, 2025

The vulnerability CVE-2025-30066: tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 0 vulnerabilities in Tj Actions. Last year, in 2025 Tj Actions had 1 security vulnerability published. Right now, Tj Actions is on track to have less security vulnerabilities in 2026 than it did last year.

Year Vulnerabilities Average Score
2026 0 0.00
2025 1 8.60
2024 0 0.00
2023 3 9.47

It may take a day or so for new Tj Actions vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Tj Actions Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-30066 Mar 15, 2025
Changed-files (pre-v46) Remote Secret Disclosure via Log Reading tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
Changed Files
CVE-2023-52137 Dec 29, 2023
Cmd Inject in tj-actions/verify-changed-files pre-17 (GitHub Action) The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. This has been patched in versions [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) and [17.0.0](https://github.com/tj-actions/verify-changed-files/releases/tag/v17.0.0) by enabling `safe_output` by default and returning filename paths escaping special characters for bash environments.
Verify Changed Files
CVE-2023-51664 Dec 27, 2023
GitHub Action tj-actions/changed-files <41.0.0: Command Injection tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
Changed Files
CVE-2023-49291 Dec 05, 2023
GitHub Action tj-actions/branch-names v<7.0.7 RCE via head_ref tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Branch Names
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.