{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25145", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.821Z", "datePublished": "2026-02-04T19:32:35.907Z", "dateUpdated": "2026-02-05T14:32:56.438Z"}, "containers": {"cna": {"title": "melange has a path traversal in license-path which allows reading files outside workspace", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9"}, {"name": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": ">= 0.14.0, < 0.40.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:32:35.907Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3."}], "source": {"advisory": "GHSA-2w4f-9fgg-q2v9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:20:16.275847Z", "id": "CVE-2026-25145", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:32:56.438Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25145", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:20:16.275847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:20:16.972Z"}}], "cna": {"title": "melange has a path traversal in license-path which allows reading files outside workspace", "source": {"advisory": "GHSA-2w4f-9fgg-q2v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": ">= 0.14.0, < 0.40.3"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4", "name": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:32:35.907Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25145", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:32:56.438Z", "dateReserved": "2026-01-29T15:39:11.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T19:32:35.907Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "matchCriteriaId": "67EBECFD-BD89-4F4E-A497-4AEE445EC5C3", "versionEndExcluding": "0.40.5", "versionStartIncluding": "0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3."}, {"lang": "es", "value": "melange permite a los usuarios construir paquetes apk utilizando pipelines declarativos. Desde la versi\u00f3n 0.14.0 hasta antes de la 0.40.3, un atacante que pueda influir en un archivo de configuraci\u00f3n de melange (por ejemplo, a trav\u00e9s de CI impulsado por solicitudes de extracci\u00f3n o escenarios de construcci\u00f3n como servicio) podr\u00eda leer archivos arbitrarios del sistema anfitri\u00f3n. La funci\u00f3n LicensingInfos en pkg/config/config.go lee archivos de licencia especificados en copyright[].license-path sin validar que las rutas permanezcan dentro del directorio del espacio de trabajo, permitiendo el salto de ruta a trav\u00e9s de secuencias ../. El contenido del archivo recorrido se incrusta en el SBOM generado como texto de licencia, lo que permite la exfiltraci\u00f3n de datos sensibles a trav\u00e9s de artefactos de construcci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 0.40.3."}], "id": "CVE-2026-25145", "lastModified": "2026-02-18T15:53:58.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T20:16:06.373", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:46:27.545654+00:00", "value": {"mitigation_remediation": ["Upgrade melange to version 0.40.3 or later, where the path validation has been added.", "If an upgrade cannot be performed immediately, configure the CI environment to reject non\u2011signed or untrusted configuration files, ensuring only trusted contributors can modify the license\u2011path entries.", "Apply input validation to any custom configuration processing: verify that license-path values resolve to the workspace directory and reject any path containing relative traversal components.", "Monitor SBOM outputs for unexpected license text that references system files and investigate any findings promptly."], "summary": {"action": "Patch", "impact": "Information Disclosure through path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of chainguard\u2011dev\u2019s melange from version 0.14.0 through 0.40.2, inclusive. The issue was fixed in version 0.40.3. Therefore any component or pipeline that pulls a melange image older than 0.40.3 and accepts untrusted configuration inputs is vulnerable.", "description_and_impact": "Melange, a tool for building Android package files from declarative pipelines, contains a path\u2011traversal flaw in the LicenseInfos function. The function reads license files listed in copyright[].license-path without enforcing that the file lies inside the build workspace. An attacker who can influence a melange configuration file\u2014such as by submitting a pull request or manipulating a build\u2011as\u2011a\u2011service environment\u2014can supply a path containing \u201c../\u201d sequences that point to arbitrary files on the host system. The contents of those files are then embedded into the generated Software Bill of Materials as license text, allowing the attacker to exfiltrate sensitive data. This weakness is a classic input validation issue identified as CWE\u201122 and results in accidental disclosure of confidential host files.", "risk_and_exploitability": "The CVSS score for this issue is 5.5, reflecting a medium\u2011severity information\u2011disclosure risk. The EPSS score is below 1\u202f%, indicating a low probability of exploitation at present, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no confirmed public exploits. Attackers will need the ability to modify or influence the melange configuration file, which is common in CI pipelines that merge code from external contributors. Once the configuration is accepted, the attacker can read arbitrary host files and embed them into the resulting SBOM, achieving data exfiltration without further elevation. The low EPSS and lack of known exploits mean the immediacy of risk is moderate, but the potential impact on confidentiality warrants timely remediation."}}}}, "created": "2026-02-05T11:39:40.826969+00:00", "updated": "2026-04-18T14:00:02.175568+00:00", "vendors": ["chainguard-dev", "chainguard-dev$PRODUCT$melange"]}