Skip to content

Arbitrary code injection in composite action

Low
mre published GHSA-65rg-554r-9j5x Aug 28, 2025

Package

actions lycheeverse/lychee-action (GitHub Actions)

Affected versions

<2.0.2

Patched versions

2.0.2

Description

Summary

There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.

Details

The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.

PoC

- uses: lycheeverse/lychee@v2
  with:
    lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")

The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Low

Severity

Low

CVE ID

CVE-2024-48908

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

Credits