CVE-2025-54059
📋 TL;DR
Melange versions 0.23.0 through 0.29.4 generate APK SBOM files with overly permissive 666 file permissions, allowing unprivileged users to modify these files. This could confuse security scanners or enable denial-of-service attacks in specific scenarios. Users building APK packages with affected melange versions are impacted.
💻 Affected Systems
- melange
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker modifies SBOM files to hide malicious packages or inject false vulnerability data, compromising supply chain integrity and security scanning accuracy.
Likely Case
Unauthorized modification of SBOM files causing confusion in security audits or triggering false alerts in vulnerability scanners.
If Mitigated
With proper file permissions controls and monitoring, impact is limited to potential DoS through file manipulation in specific edge cases.
🎯 Exploit Status
Exploitation requires local access to running containers/images with vulnerable APK packages and knowledge of file system operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.29.5
Vendor Advisory: https://github.com/chainguard-dev/melange/releases/tag/v0.29.5
Restart Required: No
Instructions:
1. Update melange to version 0.29.5 or later using package manager. 2. Rebuild any APK packages created with vulnerable versions. 3. Redeploy containers/images with updated packages.
🔧 Temporary Workarounds
Manual file permission correction
linuxManually set correct permissions on SBOM files in deployed containers/images
chmod 644 /path/to/sbom/files/*.sbom
🧯 If You Can't Patch
- Implement strict access controls on container runtime environments to limit unprivileged user access.
- Monitor file integrity of SBOM files in production containers using tools like AIDE or file integrity monitoring solutions.
🔍 How to Verify
Check if Vulnerable:
Check melange version with 'melange version' and verify if between 0.23.0 and 0.29.4. Also check SBOM file permissions in built APKs.Check Version:
melange versionVerify Fix Applied:
After updating to 0.29.5+, rebuild APK packages and verify SBOM files have 644 permissions instead of 666.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to .sbom files in container logs
- File permission change alerts on SBOM files
Network Indicators:
- N/A - Local file system vulnerability
SIEM Query:
source="container_runtime" AND (file_modification="*.sbom" OR file_permission_change="*.sbom")🔗 References
- https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04
- https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1
- https://github.com/chainguard-dev/melange/pull/1836
- https://github.com/chainguard-dev/melange/pull/2086
- https://github.com/chainguard-dev/melange/releases/tag/v0.23.0
- https://github.com/chainguard-dev/melange/releases/tag/v0.29.5
- https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh
