VYPR
← All advisories
Medium severityOSV Advisory· Published Aug 28, 2025· Updated Apr 15, 2026

CVE-2024-48908

CVE-2024-48908

Description

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An arbitrary code injection vulnerability in lychee-action's composite action allowed attackers to execute commands via the lycheeVersion parameter. Patched in v2.0.2.

Vulnerability

Details

The lychee-action composite action used the inputs.lycheeVersion variable directly within a shell script without proper sanitization, creating an arbitrary code injection vulnerability. Prior to version 2.0.2, the lychee-setup step in action.yml would expand user-supplied input directly into the bash script, allowing an attacker to inject arbitrary shell commands [1][2][3].

Exploitation

An attacker could exploit this by crafting a malicious lycheeVersion value containing shell metacharacters. For example, setting lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1") would execute the injected commands during the action's setup phase. No additional authentication is required beyond the ability to trigger a workflow run with the malicious parameter [4]. The attack surface is any repository using the vulnerable version of the action with an attacker-controlled lycheeVersion input.

Impact

Successful exploitation allows arbitrary code execution within the context of the GitHub Actions runner. This could lead to exfiltration of secrets, modification of repository contents, or further compromise of the CI/CD pipeline. The impact was assessed as Low severity by the maintainers [4].

Mitigation

The issue was patched in lychee-action version 2.0.2 by using an intermediate environment variable (LYCHEE_VERSION) instead of directly interpolating the input into the shell string [3]. Users should update to version 2.0.2 or later. No workaround is available for older versions [1][4].

References
  1. NVD - CVE-2024-48908
  2. GitHub - lycheeverse/lychee-action: Github action to check for broken links in Markdown, HTML, and text files using lychee, a fast link checker written in Rust.
  3. Merge commit from fork · lycheeverse/lychee-action@7cd0af4
  4. Arbitrary code injection in composite action

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lycheeverse/lychee-actionGitHub Actions
< 2.0.22.0.2

Affected products

2
  • Lycheeverse/Lychee ActionOSV2 versions
    v1, v1.0.1, v1.0.2, …+ 1 more
    • (no CPE)range: v1, v1.0.1, v1.0.2, …
    • (no CPE)range: <2.0.2

Patches

1
7cd0af4c74a6

Merge commit from fork

https://github.com/lycheeverse/lychee-actionÁlvaro Mondéjar RubioOct 14, 2024via ghsa
commit
1 file changed · +8 6
  • action.yml+8 6 modified
    @@ -65,17 +65,17 @@ runs:
       id: lychee-setup
       run: |
         # Determine filename and download URL based on version
-        if [[ '${{ inputs.lycheeVersion }}' =~ ^v0\.0|^v0\.1[0-5]\. ]]; then
-          FILENAME="lychee-${{ inputs.lycheeVersion }}-x86_64-unknown-linux-gnu.tar.gz"
-          DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/download/${{ inputs.lycheeVersion }}/${FILENAME}"
+        if [[ "${LYCHEE_VERSION}" =~ ^v0\.0|^v0\.1[0-5]\. ]]; then
+          FILENAME="lychee-${LYCHEE_VERSION}-x86_64-unknown-linux-gnu.tar.gz"
+          DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/download/${LYCHEE_VERSION}/${FILENAME}"
         else
           FILENAME="lychee-x86_64-unknown-linux-gnu.tar.gz"
-          if [[ '${{ inputs.lycheeVersion }}' == 'nightly' ]]; then
+          if [[ "${LYCHEE_VERSION}" == 'nightly' ]]; then
             DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/download/nightly/${FILENAME}"
-          elif [[ '${{ inputs.lycheeVersion }}' == 'latest' ]]; then
+          elif [[ "${LYCHEE_VERSION}" == 'latest' ]]; then
             DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/latest/download/${FILENAME}"
           else
-            DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/download/lychee-${{ inputs.lycheeVersion }}/${FILENAME}"
+            DOWNLOAD_URL="https://github.com/lycheeverse/lychee/releases/download/lychee-${LYCHEE_VERSION}/${FILENAME}"
           fi
         fi
 
@@ -87,6 +87,8 @@ runs:
 
         # Output filename for use in later steps
         echo "filename=${FILENAME}" >> $GITHUB_OUTPUT
+      env:
+        LYCHEE_VERSION: ${{ inputs.lycheeVersion }}
       shell: bash
 
     - name: Install lychee

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.