Home

Description

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.

PUBLISHED Reserved 2024-10-09 | Published 2025-08-28 | Updated 2025-08-28 | Assigner GitHub_M




MEDIUM: 6.9CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 2.0.2
affected

References

github.com/...action/security/advisories/GHSA-65rg-554r-9j5x

github.com/...ommit/7cd0af4c74a61395d455af97419279d86aafaede

cve.org (CVE-2024-48908)

nvd.nist.gov (CVE-2024-48908)

Download JSON