{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29049", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-03-06T07:03:10.361Z", "dateUpdated": "2026-03-09T20:00:19.899Z"}, "containers": {"cna": {"title": "melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": "<= 0.40.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:03:10.361Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available."}], "source": {"advisory": "GHSA-7rp8-r62p-q6wc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T20:00:02.881191Z", "id": "CVE-2026-29049", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:00:19.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29049", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:00:02.881191Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:00:14.380Z"}}], "cna": {"title": "melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI", "source": {"advisory": "GHSA-7rp8-r62p-q6wc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": "<= 0.40.5"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:03:10.361Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29049", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:00:19.899Z", "dateReserved": "2026-03-03T17:50:11.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T07:03:10.361Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "matchCriteriaId": "03E019F3-C40D-4A30-9A0C-8B4CC7D2FF8A", "versionEndIncluding": "0.40.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available."}, {"lang": "es", "value": "melange permite a los usuarios construir paquetes apk utilizando pipelines declarativos. En la versi\u00f3n 0.40.5 y anteriores, melange update-cache descarga URIs de configuraciones de compilaci\u00f3n a trav\u00e9s de io.Copy sin ning\u00fan l\u00edmite de tama\u00f1o o tiempo de espera del cliente HTTP (pkg/renovate/cache/cache.go). Una URI controlada por un atacante en una configuraci\u00f3n de melange puede causar escrituras de disco ilimitadas, agotando el disco en el ejecutor de compilaci\u00f3n. No hay ning\u00fan parche conocido disponible p\u00fablicamente."}], "id": "CVE-2026-29049", "lastModified": "2026-03-10T19:28:57.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T07:16:02.093", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.40.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "melange", "source": "cna", "vendor": "chainguard-dev"}, "product": "melange", "vendor": "chainguard-dev"}], "analysis": {"en": {"generated_at": "2026-04-16T11:28:15.737804+00:00", "value": {"mitigation_remediation": ["Implement strict validation of download URLs in melange configurations, allowing only trusted domains or IPs.", "Configure CI environments to enforce disk quotas or monitor available disk space, triggering alerts before exhaustion occurs.", "Apply size limits or timeouts to HTTP clients used by melange, or use a reverse proxy that enforces download size constraints.", "When a vendor patch becomes available, upgrade melange or manually modify cache.go to add a size cap and timeout."], "summary": {"action": "Mitigate", "impact": "Disk Exhaustion"}, "threat_synthesis": {"affected_systems": "The affected product is Chainguard's melange, versions 0.40.5 and earlier. This flaw was identified in the pkg/renovate/cache/cache.go file. The vulnerability applies to any environment where melange update-cache is executed with a build configuration that includes attacker-supplied download URLs.", "description_and_impact": "Melange, a tool for building APK packages through declarative pipelines, contains an unbounded HTTP download flaw in its update-cache command. The code copies remote content without imposing a download size limit or HTTP client timeout, enabling an attacker who controls a URI referenced in a melange configuration to write unlimited data to disk. The resulting disk exhaustion can cause the CI build runner to run out of space and fail, effectively degrading availability.", "risk_and_exploitability": "The CVSS score is 4.3, and EPSS is undersampled (<\u20091\u202f%), indicating a moderate severity with a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog, suggesting it is not currently an actively exploited vulnerability. Exploitation requires control over the melange configuration used in a CI pipeline; therefore the attack vector is likely remote delivery through compromised or malicious build definitions."}}}}, "created": "2026-03-06T14:55:29.910891+00:00", "updated": "2026-04-16T11:30:15.910309+00:00", "vendors": ["chainguard-dev", "chainguard-dev$PRODUCT$melange"]}