PT-2025-35094 · Lychee · Lychee
Published
2025-08-28
·
Updated
2025-08-28
·
CVE-2024-48908
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
lychee link checking action versions prior to 2.0.2
Description:
The GitHub Action variable
inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. This can potentially compromise the security of the target repository. The issue resides in lychee-setup of the composite action at action.yml.Recommendations:
Update to version 2.0.2 or later.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lychee