CVE-2024-48908

Github Actions Lycheeverse/lychee-action < 2.0.2 - Code Injection

Title source: rule

Description

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.

References (2)

[Patch] https://github.com/lycheeverse/lychee-action/commit/7cd0af4c74a61395d455af97419279d86aafaede

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/lycheeverse/lychee-action/security/advisories/GHSA-65rg-554r-9j5x

Scores

EPSS 0.0001

EPSS Percentile 1.5%

Classification

CWE

CWE-94

Status draft

Affected Products (1)

GitHub Actions/lycheeverse/lychee-action < 2.0.2GitHub Actions

Timeline

Published Aug 28, 2025

Tracked Since Feb 18, 2026