{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54059", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-16T13:22:18.203Z", "datePublished": "2025-07-18T15:40:43.277Z", "dateUpdated": "2025-07-18T16:04:30.154Z"}, "containers": {"cna": {"title": "melange creates SBOM files in APKs with world-writable permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "lang": "en", "description": "CWE-276: Incorrect Default Permissions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh"}, {"name": "https://github.com/chainguard-dev/melange/pull/1836", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/pull/1836"}, {"name": "https://github.com/chainguard-dev/melange/pull/2086", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/pull/2086"}, {"name": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04"}, {"name": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1"}, {"name": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0"}, {"name": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": ">= 0.23.0, < 0.29.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-18T15:40:43.277Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."}], "source": {"advisory": "GHSA-5662-cv6m-63wh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-18T15:53:51.678522Z", "id": "CVE-2025-54059", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T16:04:30.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-18T15:53:51.678522Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T15:53:59.807Z"}}], "cna": {"title": "melange creates SBOM files in APKs with world-writable permissions", "source": {"advisory": "GHSA-5662-cv6m-63wh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": ">= 0.23.0, < 0.29.5"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/melange/pull/1836", "name": "https://github.com/chainguard-dev/melange/pull/1836", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/melange/pull/2086", "name": "https://github.com/chainguard-dev/melange/pull/2086", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04", "name": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1", "name": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0", "name": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5", "name": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-18T15:40:43.277Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54059", "state": "PUBLISHED", "dateUpdated": "2025-07-18T16:04:30.154Z", "dateReserved": "2025-07-16T13:22:18.203Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-18T15:40:43.277Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."}, {"lang": "es", "value": "Melange permite a los usuarios crear paquetes APK mediante pipelines declarativos. A partir de la versi\u00f3n 0.23.0 y anteriores a la 0.29.5, los archivos SBOM generados por Melange en APK ten\u00edan permisos de sistema de archivos en modo 666. Esto podr\u00eda permitir que un usuario sin privilegios altere los SBOM de APK en una imagen en ejecuci\u00f3n, lo que podr\u00eda confundir a los esc\u00e1neres de seguridad. Un atacante tambi\u00e9n podr\u00eda realizar un ataque de DoS en circunstancias especiales. La versi\u00f3n 0.29.5 corrige el problema."}], "id": "CVE-2025-54059", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-18T16:15:30.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/pull/1836"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/pull/2086"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}