Headline
GHSA-65rg-554r-9j5x: lychee link checking action affected by arbitrary code injection in composite action
Summary
There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.
Details
The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.
PoC
- uses: lycheeverse/lychee@v2
with:
lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")
The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.
Impact
Low
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-48908
lychee link checking action affected by arbitrary code injection in composite action
Moderate severity GitHub Reviewed Published Aug 28, 2025 in lycheeverse/lychee-action • Updated Aug 28, 2025
Package
Affected versions
< 2.0.2
Summary
There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.
Details
The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.
PoC
- uses: lycheeverse/lychee@v2 with: lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo “v0.16.1”)
The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.
Impact
Low
References
- GHSA-65rg-554r-9j5x
- lycheeverse/lychee-action@7cd0af4
- https://nvd.nist.gov/vuln/detail/CVE-2024-48908
Published to the GitHub Advisory Database
Aug 28, 2025
Last updated
Aug 28, 2025