CVE-2024-48908 MEDIUM

CVE-2024-48908: lychee-action vulnerable to arbitrary code injection in composite action

Vendor Lycheeverse
Product lychee-action
Weakness CWE-94 · Code injection
Published August 28, 2025
Last update August 28, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.

Key dates

02Disclosure timeline

August 28, 2025 CVE published
August 28, 2025 Record updated