Description
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure through path traversal
Action: Patch
AI Analysis

Impact

Melange, a tool for building Android package files from declarative pipelines, contains a path‑traversal flaw in the LicenseInfos function. The function reads license files listed in copyright[].license-path without enforcing that the file lies inside the build workspace. An attacker who can influence a melange configuration file—such as by submitting a pull request or manipulating a build‑as‑a‑service environment—can supply a path containing “../” sequences that point to arbitrary files on the host system. The contents of those files are then embedded into the generated Software Bill of Materials as license text, allowing the attacker to exfiltrate sensitive data. This weakness is a classic input validation issue identified as CWE‑22 and results in accidental disclosure of confidential host files.

Affected Systems

The vulnerability affects all releases of chainguard‑dev’s melange from version 0.14.0 through 0.40.2, inclusive. The issue was fixed in version 0.40.3. Therefore any component or pipeline that pulls a melange image older than 0.40.3 and accepts untrusted configuration inputs is vulnerable.

Risk and Exploitability

The CVSS score for this issue is 5.5, reflecting a medium‑severity information‑disclosure risk. The EPSS score is below 1 %, indicating a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed public exploits. Attackers will need the ability to modify or influence the melange configuration file, which is common in CI pipelines that merge code from external contributors. Once the configuration is accepted, the attacker can read arbitrary host files and embed them into the resulting SBOM, achieving data exfiltration without further elevation. The low EPSS and lack of known exploits mean the immediacy of risk is moderate, but the potential impact on confidentiality warrants timely remediation.

Generated by OpenCVE AI on April 18, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade melange to version 0.40.3 or later, where the path validation has been added.
  • If an upgrade cannot be performed immediately, configure the CI environment to reject non‑signed or untrusted configuration files, ensuring only trusted contributors can modify the license‑path entries.
  • Apply input validation to any custom configuration processing: verify that license-path values resolve to the workspace directory and reject any path containing relative traversal components.
  • Monitor SBOM outputs for unexpected license text that references system files and investigate any findings promptly.

Generated by OpenCVE AI on April 18, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2w4f-9fgg-q2v9 melange has a path traversal in license-path which allows reading files outside workspace
History

Wed, 18 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev melange
Vendors & Products Chainguard-dev
Chainguard-dev melange

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3.
Title melange has a path traversal in license-path which allows reading files outside workspace
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Chainguard Melange
Chainguard-dev Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:56.438Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25145

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:16.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:06.373

Modified: 2026-02-18T15:53:58.957

Link: CVE-2026-25145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses