CVE-2024-48908
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lycheeverse | lychee-action | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-48908 is an arbitrary code injection vulnerability in the lychee-setup composite GitHub Action of the lycheeverse/lychee-action package, affecting versions prior to 2.0.2. The vulnerability occurs because the action improperly handles the input variable 'inputs.lycheeVersion' in the action.yml file, allowing an attacker to inject and execute arbitrary shell commands within the action's execution context. For example, an attacker could set 'lycheeVersion' to a command that dumps environment variables, leading to potential unauthorized code execution and information disclosure. This issue was fixed in version 2.0.2. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code within the GitHub Action workflow context, potentially compromising the security of the target repository. The attacker could stealthily run malicious commands, access sensitive environment variables, or manipulate the workflow without detection, which could lead to unauthorized access, data leakage, or further exploitation of the repository's environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your GitHub Actions workflows use the lycheeverse/lychee-action package with a version prior to 2.0.2. Specifically, look for usage of the input variable `inputs.lycheeVersion` in the action.yml file of the lychee-setup composite action. A proof of concept involves setting `lycheeVersion` to a shell command such as `$(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")` to test if arbitrary code execution is possible. To detect this on your system, review your GitHub Actions workflow files for lychee-action versions below 2.0.2 and check for suspicious input values or unexpected environment variable dumps in workflow run summaries. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the lycheeverse/lychee-action to version 2.0.2 or later, where the vulnerability has been patched. Avoid using untrusted input for the `lycheeVersion` parameter in your GitHub Actions workflows. Review and update your workflows to ensure they do not allow arbitrary code injection via this input. [1]