An attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts.
Fix: Merged in commit 2f95c9f4
Acknowledgements
melange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.
| Score | Percentile |
|---|---|
| 0.00% | 0.15% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2w4f-9fgg-q2v9 ↗ |
| CVE | CVE-2026-25145 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | chainguard.dev/melange | >= 0.14.0, < 0.40.3 | 0.40.3 | — |