GHSA-65rg-554r-9j5x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-65rg-554r-9j5x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-65rg-554r-9j5x/GHSA-65rg-554r-9j5x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-65rg-554r-9j5x
- Aliases
- Published
- 2025-08-28T14:40:08Z
- Modified
- 2025-08-28T15:59:37Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- lychee link checking action affected by arbitrary code injection in composite action
- Details
-
Summary
There is a potential attack of arbitrary code injection vulnerability in
lychee-setupof the composite action at action.yml.Details
The GitHub Action variable
inputs.lycheeVersioncan be used to execute arbitrary code in the context of the action.PoC
- uses: lycheeverse/lychee@v2 with: lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.
Impact
Low
- Database specific
{ "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2025-08-28T15:15:42Z", "github_reviewed_at": "2025-08-28T14:40:08Z" }- References