arduino-esp32 is using a compromised tj-actions/changed-files GitHub action (CVE-2025-30066)

arduino-esp32 uses a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

The action is included in:
  - https://github.com/espressif/arduino-esp32/blob/2a3de9c41533c0559e7c16ea34f4315e5fc2205d/.github/workflows/push.yml

Output of an affected run:
  - https://github.com/espressif/arduino-esp32/actions/runs/13864794849/job/38801411946#step:3:91

Please review.

Learn about the compromise on [StepSecurity](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) of [Semgrep](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/).

This issue has been assigned [CVE-2025-30066](https://nvd.nist.gov/vuln/detail/CVE-2025-30066)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

arduino-esp32 is using a compromised tj-actions/changed-files GitHub action (CVE-2025-30066) #11127

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

arduino-esp32 is using a compromised tj-actions/changed-files GitHub action (CVE-2025-30066) #11127

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions