Melange
CVE-2026-24843
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
AnalysisAI
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.
Technical ContextAI
Classified as CWE-22 (Path Traversal). Affects Melange. melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 0.40.3.. Validate and sanitize file path inputs. Use allowlists.
melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]
Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling atta
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files fro
Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files fro
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qxx2-7h4c-83f4