DirectXShaderCompiler used a compromised tj-actions/changed-files GitHub action (CVE-2025-30066)

[eslerm]

DirectXShaderCompiler used a compromised version of tj-actions/changed-files. The compromised action appears to have leaked secrets the runner was running in memory.

The action was included in:

• DirectXShaderCompiler/.github/workflows/clang-format-checker.yml

  Line 22 in 24dedfd

  uses: tj-actions/changed-files@v41

Output of an affected run:

• https://github.com/microsoft/DirectXShaderCompiler/actions/runs/13867274121/job/38808741661#step:3:55

Please review.

Learn about the compromise on StepSecurity of Semgrep.

This issue has been assigned CVE-2025-30066

[tex3d]

Thank you for the report.

The vulnerability was addressed globally from the GitHub side by first disabling the action, then by fixing the action repo. See comment: tj-actions/changed-files#2463 (comment)

Any secrets leaked into logs were limited to the GITHUB_TOKEN, which would have expired:

Before each job begins, GitHub fetches an installation access token for the job. The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours.

These two completed PRs changed the workflow to no longer be vulnerable to this kind of attack on the GitHub action: #7217, #7226.