CVE-2026-29049

Name of the Vulnerable Software and Affected Versions melange versions prior to 0.40.5

Description melange enables users to create apk packages using declarative pipelines. In versions 0.40.5 and earlier, the melange update-cache function downloads URIs from build configurations using io.Copy without any size limitations or HTTP client timeouts. An attacker-controlled URI within a melange configuration can lead to unrestricted disk writes, potentially exhausting disk space on the build runner. The vulnerable code is located in pkg/renovate/cache/cache.go.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.