CVE-2026-25145 – This vulnerability in melange allows attackers ... (How to Fix)

Q: What is the severity of CVE-2026-25145?

CVE-2026-25145 has a CVSS score of 5.5 (MEDIUM). This vulnerability in melange allows attackers to read arbitrary files from the host system through path traversal in license file paths. Attackers who can influence melange configuration files (e.g., via pull requests in CI/CD pipelines) can exfiltrate sensitive data through generated SBOM artifacts. Users running melange versions 0.14.0 through 0.40.2 in build automation scenarios are affected.

📋 TL;DR

This vulnerability in melange allows attackers to read arbitrary files from the host system through path traversal in license file paths. Attackers who can influence melange configuration files (e.g., via pull requests in CI/CD pipelines) can exfiltrate sensitive data through generated SBOM artifacts. Users running melange versions 0.14.0 through 0.40.2 in build automation scenarios are affected.

💻 Affected Systems

Products:

melange

Versions: 0.14.0 to 0.40.2

Operating Systems: All platforms running melange

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when melange processes user-controlled configuration files, typically in CI/CD or build-as-a-service scenarios.

📦 What is this software?

Melange by Chainguard

View all CVEs affecting Melange →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive host system files including SSH keys, passwords, configuration files, and proprietary data through exfiltration in build artifacts.

🟠

Likely Case

Exfiltration of build secrets, API keys, and configuration files from the build environment through manipulated CI/CD pipelines.

🟢

If Mitigated

Limited impact with proper access controls, sandboxing, and configuration validation preventing unauthorized configuration changes.

🌐 Internet-Facing: MEDIUM - Exploitable through CI/CD systems accepting external contributions, but requires ability to modify build configurations.

🏢 Internal Only: LOW - Requires internal threat actors with build configuration modification privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to modify melange configuration files, which is common in CI/CD environments accepting external contributions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.40.3

Vendor Advisory: https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9

Restart Required: No

Instructions:

1. Update melange to version 0.40.3 or later using your package manager. 2. Verify the update with 'melange version'. 3. Rebuild any affected packages to ensure clean SBOM generation.

🔧 Temporary Workarounds

Validate configuration files

all

Implement pre-build validation to ensure license paths don't contain path traversal sequences

grep -r "\.\./" melange-configs/
find melange-configs/ -name "*.yaml" -exec grep -l "license-path.*\.\./" {} \;

Sandbox build environment

linux

Run melange builds in isolated containers with restricted filesystem access

docker run --read-only -v /tmp/build:/build:ro alpine/melange build ...

🧯 If You Can't Patch

Implement strict access controls on who can submit melange configuration changes
Monitor and audit SBOM outputs for unexpected license text content

🔍 How to Verify

Check if Vulnerable:

Check melange version with 'melange version' and verify it's between 0.14.0 and 0.40.2 inclusive

Check Version:

melange version

Verify Fix Applied:

Confirm version is 0.40.3 or later with 'melange version' and test with a configuration containing '../' in license-path to ensure it's rejected

📡 Detection & Monitoring

Log Indicators:

Failed license file reads outside workspace directory
Configuration files with '../' sequences in license paths
Unusually large license text in generated SBOMs

Network Indicators:

Unexpected data in build artifact uploads
Large SBOM files being transmitted from build systems

SIEM Query:

source="melange" AND ("license-path" AND "../") OR "path traversal"

📊 Metadata

CVE ID: CVE-2026-25145

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: February 4, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4 Patch
https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25145, you might also want to check these: