CVE-2024-48908
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-08-29

Assigner: GitHub, Inc.

Description
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2024-48908
EUVD
EUVD-2024-54925
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lycheeverse lychee-action *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-48908 is an arbitrary code injection vulnerability in the lychee-setup composite GitHub Action of the lycheeverse/lychee-action package, affecting versions prior to 2.0.2. The vulnerability occurs because the action improperly handles the input variable 'inputs.lycheeVersion' in the action.yml file, allowing an attacker to inject and execute arbitrary shell commands within the action's execution context. For example, an attacker could set 'lycheeVersion' to a command that dumps environment variables, leading to potential unauthorized code execution and information disclosure. This issue was fixed in version 2.0.2. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code within the GitHub Action workflow context, potentially compromising the security of the target repository. The attacker could stealthily run malicious commands, access sensitive environment variables, or manipulate the workflow without detection, which could lead to unauthorized access, data leakage, or further exploitation of the repository's environment. [1]

Detection Guidance

This vulnerability can be detected by checking if your GitHub Actions workflows use the lycheeverse/lychee-action package with a version prior to 2.0.2. Specifically, look for usage of the input variable `inputs.lycheeVersion` in the action.yml file of the lychee-setup composite action. A proof of concept involves setting `lycheeVersion` to a shell command such as `$(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")` to test if arbitrary code execution is possible. To detect this on your system, review your GitHub Actions workflow files for lychee-action versions below 2.0.2 and check for suspicious input values or unexpected environment variable dumps in workflow run summaries. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the lycheeverse/lychee-action to version 2.0.2 or later, where the vulnerability has been patched. Avoid using untrusted input for the `lycheeVersion` parameter in your GitHub Actions workflows. Review and update your workflows to ensure they do not allow arbitrary code injection via this input. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-48908. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart