CVE-2025-54059

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04
https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1
https://github.com/chainguard-dev/melange/pull/1836
https://github.com/chainguard-dev/melange/pull/2086
https://github.com/chainguard-dev/melange/releases/tag/v0.23.0
https://github.com/chainguard-dev/melange/releases/tag/v0.29.5
https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh

Configurations

No configuration.

History

No history.

Information

Published : 2025-07-18 16:15

Updated : 2025-07-22 13:06

NVD link : CVE-2025-54059

Mitre link : CVE-2025-54059

CVE.ORG link : CVE-2025-54059

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2025-54059", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 1.8}]}, "published": "2025-07-18T16:15:30.180", "references": [{"url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/pull/1836", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/pull/2086", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."}, {"lang": "es", "value": "Melange permite a los usuarios crear paquetes APK mediante pipelines declarativos. A partir de la versi\u00f3n 0.23.0 y anteriores a la 0.29.5, los archivos SBOM generados por Melange en APK ten\u00edan permisos de sistema de archivos en modo 666. Esto podr\u00eda permitir que un usuario sin privilegios altere los SBOM de APK en una imagen en ejecuci\u00f3n, lo que podr\u00eda confundir a los esc\u00e1neres de seguridad. Un atacante tambi\u00e9n podr\u00eda realizar un ataque de DoS en circunstancias especiales. La versi\u00f3n 0.29.5 corrige el problema."}], "lastModified": "2025-07-22T13:06:27.983", "sourceIdentifier": "[email protected]"}