GHSA-65rg-554r-9j5x

Опубликовано: 28 авг. 2025

Источник: github

Github: Прошло ревью

CVSS4: 6.9

Описание

lychee link checking action affected by arbitrary code injection in composite action

Summary

There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.

Details

The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.

PoC

- uses: lycheeverse/lychee@v2 with: lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")

The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Low

Ссылки

Пакеты

Наименование

lycheeverse/lychee-action

actions

Затронутые версииВерсия исправления

< 2.0.2

2.0.2

EPSS

Процентиль: 1%

0.00012

Низкий

6.9 Medium

CVSS4

CVE ID

CVE-2024-48908

Дефекты

CWE-94

Связанные уязвимости

CVE-2024-48908

nvd

5 месяцев назад

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.

EPSS

Процентиль: 1%

0.00012

Низкий

6.9 Medium

CVSS4

CVE ID

CVE-2024-48908

Дефекты

CWE-94