Primary

Context

Lychee Action Arbitrary Code Injection Vulnerability in Composite Action

Vulnerability

An arbitrary code injection vulnerability has been identified in the Lychee link checking action, specifically within the composite action's 'lychee-setup' section of the action.yml file. This vulnerability exists in versions prior to 2.0.2. The issue arises because the 'inputs.lycheeVersion' variable can be manipulated to execute arbitrary code in the context of the GitHub Action.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the GitHub Actions workflow, potentially compromising the security of the repository.

Reproduction

To reproduce this vulnerability, use the Lychee action version 2.0.1 or earlier and set the 'lycheeVersion' input to a value that includes a command substitution, such as 'v0.16.1'. This will execute the injected command in the workflow's environment.

Remediation

Users can upgrade to Lychee Action version 2.0.2 or later to address this vulnerability.

Added: Aug 28, 2025, 3:23 PM

Updated: Aug 28, 2025, 3:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lychee Action Arbitrary Code Injection Vulnerability in Composite Action

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating