PT-2025-30051 · Melange · Melange

Codyharris-H2O-Ai

Published

2025-07-18

Updated

2025-08-04

CVE-2025-54059

CVSS v3.1

4.4

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions melange versions 0.23.0 through 0.29.4

Description melange allows users to build apk packages using declarative pipelines. SBOM files generated by melange in apks had file system permissions mode 666, potentially allowing an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a Denial of Service under special circumstances.

Recommendations Update to version 0.29.5 or later.

Exploit

Fix

DoS

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

CVE-2025-54059

GHSA-5662-CV6M-63WH

GO-2025-3815

OPENSUSE-SU-2025:15405-1

Affected Products

Melange

PT-2025-30051 · Melange · Melange

CVE-2025-54059

Weakness Enumeration

Related Identifiers

Affected Products

References · 72