Description
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + ".yaml")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`.
Published: 2026-04-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Patch
AI Analysis

Impact

The vulnerability allows attackers who can influence a melange configuration file, such as in pull‑request‑driven continuous integration, to set the pipeline[].uses field to a value containing directory traversal or an absolute path. The build process interprets this value as a file name relative to the configured pipeline directory, which can be moved outside the intended directory using "../" sequences or an absolute path. The resulting file is parsed as a new pipeline definition and any commands listed in its runs block are executed via /bin/sh –c in the build sandbox, giving the attacker the ability to run arbitrary shell commands in the build environment. This flaw is a classic directory traversal (CWE‑22) that leads to remote code execution.

Affected Systems

The flaw exists in Chainguard Dev's melange from version 0.32.0 through 0.43.3. The affected product is the melange command‑line tool, which builds Android application packages using declarative pipelines.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity, and the EPSS score is <1%, suggesting a low probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through construction of a malicious or tampered configuration file that is retrieved as part of a CI or build‑as‑a‑service workflow; once the configuration file is processed, the attacker can inject shell commands that run in the build sandbox.

Generated by OpenCVE AI on April 28, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade melange to version 0.43.4 or newer, which rejects pipeline[].uses values that are absolute paths or contain ".." and ensures the resolved file remains within the pipeline directory.
  • In environments where upgrading immediately is not feasible, run melange build only against configuration files from trusted sources and reject any that contain leading slashes or ".." sequences in pipeline[].uses before the build starts.
  • In continuous‑integration systems that build user‑supplied melange configs, place a gate that requires manual review of the pipeline[].uses field and prohibits any values that trigger the directory‑traversal logic.

Generated by OpenCVE AI on April 28, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98f2-w9h9-7fp9 melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
History

Mon, 27 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + ".yaml")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`.
Title melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Chainguard Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:38:30.604Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29050

cve-icon Vulnrichment

Updated: 2026-04-25T01:38:26.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:27.303

Modified: 2026-04-27T14:31:58.970

Link: CVE-2026-29050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses