Description
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.
Published: 2026-04-24
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite via path traversal
Action: Apply patch
AI Analysis

Impact

This vulnerability occurs in the melange build tool when the optional flag --persist-lint-results is enabled. In versions 0.32.0 through 0.43.4, melange constructs output file paths by concatenating the user-specified --out-dir directory with the package architecture and name extracted from a maliciously crafted .PKGINFO file. Because these values are not validated for path separators or directory traversal sequences, an attacker who can supply a forged APK to the lint or build process can cause the tool to write a JSON lint report to an arbitrary location within the filesystem accessible to melange. The written content is partially influenced by the attacker, allowing potential overwrite of other JSON artifacts, but there is no direct code‑execution path.

Affected Systems

Chainguard Dev's melange, versions 0.32.0 up to but not including 0.43.4, when the --persist-lint-results flag is enabled.

Risk and Exploitability

The CVSS v3.1 score of 4.4 reflects a medium severity due to limited impact; the EPSS score is under 1%, indicating a very low probability that exploitation will occur. The vulnerability does not provide privilege escalation or remote code execution, but it can lead to destructive file overwrite within an environment that trusts the build pipeline. The attack would need an adversary who can influence the .PKGINFO of an APK processed by a melange instance, such as an insecure CI pipeline that lints third-party APKs. The issue is not listed in CISA’s KEV catalog, and no public exploit has been reported.

Generated by OpenCVE AI on April 28, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update melange to version 0.43.4 or later, which validates arch and pkgname fields before constructing the file path.
  • If an update is not immediately possible, avoid using the --persist-lint-results flag for APKs whose .PKGINFO contents are not fully trusted.
  • Run melange under a low-privileged user and restrict the output directory to a secure, isolated location to limit the impact of any accidental path traversal.

Generated by OpenCVE AI on April 28, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2pw-xx38-p64j melange has Path Traversal via .PKGINFO in --persist-lint-results
History

Mon, 27 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.
Title melange has Path Traversal via .PKGINFO in --persist-lint-results
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Chainguard Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T13:10:10.825Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29051

cve-icon Vulnrichment

Updated: 2026-04-24T13:10:07.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:27.477

Modified: 2026-04-27T14:42:38.000

Link: CVE-2026-29051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses