Description
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary host command execution via crafted patch inputs
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an input-handling flaw in melange’s patch pipeline, where values supplied through patch-related inputs are incorporated into shell scripts without proper quoting or validation. This flaw permits an attacker to inject shell metacharacters and run arbitrary commands with the privileges of the melange build process, compromising confidentiality, integrity, and availability of the build host. It is classified as CWE‑78: OS Command Injection.

Affected Systems

The issue affects Chainguard’s melange version 0.10.0 up to, but not including, 0.40.3. Any deployment of these versions that uses the default patch pipeline – invoked through melange build or melange license‑check operations – is vulnerable. Versions 0.40.3 and newer contain the patch.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity vulnerability. The EPSS score of less than 1 % suggests that exploitation is currently low probability, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw can be leveraged through the patch pipeline by an attacker who can influence inputs, such as through pull‑request driven continuous integration, build‑as‑a‑service setups, or untrusted configuration values. The attack can be performed without requiring additional credentials, relying solely on the ability to tamper with patch‑related inputs.

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chainguard melange to version 0.40.3 or later to apply the official patch
  • If an upgrade is not immediately possible, validate or sanitize all patch‑related inputs before they are embedded into shell scripts, ensuring that shell metacharacters are escaped or removed
  • Restrict the use of the patch pipeline from external sources such as pull requests or untrusted CI configurations, or disable the pipeline entirely until a secure version is deployed

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rf4g-89h5-crcr melange affected by potential host command execution via license-check YAML mode patch pipeline
History

Wed, 18 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev melange
Vendors & Products Chainguard-dev
Chainguard-dev melange

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3.
Title melange affected by potential host command execution via license-check YAML mode patch pipeline
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Chainguard Melange
Chainguard-dev Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:33:04.735Z

Reserved: 2026-01-29T15:39:11.820Z

Link: CVE-2026-25143

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:14.385Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:06.227

Modified: 2026-02-18T15:55:19.757

Link: CVE-2026-25143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses