CVE-2024-48908

Summary

There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.

Details

The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.

PoC

- uses: lycheeverse/lychee@v2
  with:
    lycheeVersion: $(printenv &gt;&gt; $GITHUB_STEP_SUMMARY &amp;&amp; echo &quot;v0.16.1&quot;)

The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Low

Published: Aug 28, 2025
Updated: Aug 29, 2025
CVE: CVE-2024-48908
GHSA: GHSA-65rg-554r-9j5x
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
lycheeverse / lychee-action	-	2.0.2

https://github.com/lycheeverse/lychee-action/commit/7cd0af4c74a61395d455af97419279d86aafaede
https://github.com/lycheeverse/lychee-action/security/advisories/GHSA-65rg-554r-9j5x

Vulnerability Database

CVE-2024-48908

Summary

Details

PoC

Impact