CVE-2024-48908 – lycheeverse/lychee-action

Package

Manager: github_actions
Name: lycheeverse/lychee-action
Vulnerable Version: >=0 <2.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00062 pctl0.19534

Details

lychee link checking action affected by arbitrary code injection in composite action ### Summary There is a potential attack of arbitrary code injection vulnerability in `lychee-setup` of the composite action at *action.yml*. ### Details The GitHub Action variable `inputs.lycheeVersion` can be used to execute arbitrary code in the context of the action. ### PoC ```yaml - uses: lycheeverse/lychee@v2 with: lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1") ``` The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally. ### Impact Low

Metadata

Created: 2025-08-28T14:40:08Z
Modified: 2025-08-28T15:59:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-65rg-554r-9j5x/GHSA-65rg-554r-9j5x.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-65rg-554r-9j5x
Finding: F422
Auto approve: 1