Melange
CVE-2026-29049
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
AnalysisAI
Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files from attacker-controlled URIs without enforcing size limits or timeouts. An attacker can craft a malicious melange configuration file to trigger unbounded disk writes on build systems, consuming all available storage and denying service to legitimate builds. No patch is currently available.
Technical ContextAI
Classified as CWE-400 (Uncontrolled Resource Consumption). Affects Melange. melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that
melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]
Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling atta
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files fro
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7rp8-r62p-q6wc