melange creates SBOM files in APKs with world-writable permissions

4.4 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

Basic Information

ID CVE-2025-54059

Source GitHub_M

Published Jul 18, 2025 at 15:40

Modified Jul 18, 2025 at 16:04

Affected Product

Vendor chainguard-dev

Product melange

Version >= 0.23.0, < 0.29.5

Affected Versions chainguard-dev melange >= 0.23.0, < 0.29.5

CWE Classification

CWE-276

References

{
    "lastseen": "",
    "description": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.",
    "published": "2025-07-18T15:40:43.277Z",
    "modified": "2025-07-18T16:04:30.154Z",
    "type": "cve",
    "title": "melange creates SBOM files in APKs with world-writable permissions",
    "source": "GitHub_M",
    "references": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh\nhttps://github.com/chainguard-dev/melange/pull/1836\nhttps://github.com/chainguard-dev/melange/pull/2086\nhttps://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04\nhttps://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1\nhttps://github.com/chainguard-dev/melange/releases/tag/v0.23.0\nhttps://github.com/chainguard-dev/melange/releases/tag/v0.29.5",
    "id": "CVE-2025-54059",
    "bulletinFamily": "",
    "cwe": [
        "CWE-276"
    ],
    "cvelist": null,
    "sourceData": "chainguard-dev melange >= 0.23.0, < 0.29.5",
    "sourceHref": "",
    "cvss": {
        "score": 4.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "melange",
    "version": ">= 0.23.0, < 0.29.5",
    "vendor": "chainguard-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

melange creates SBOM files in APKs with world-writable permissions_CVE-2025-54059