CVE-2025-54059

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-54059
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54059.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-54059
Aliases
Published
2025-07-18T16:15:30Z
Modified
2025-07-29T19:12:09.706196Z
Summary
[none]
Details

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

References

Affected packages

Git / github.com/chainguard-dev/melange

Affected ranges

Type
GIT
Repo
https://github.com/chainguard-dev/melange
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1b272db2a0bb3441553284cc56d87236b4b64c04
Fixed
2c649a99da753b84563ce8e4c3f4c5ae868d5f3f
Fixed
e29494b4a40a91619ec1c87a09003c6d5164cea1

Affected versions

v0.*

v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.14.0
v0.14.1
v0.14.10
v0.14.11
v0.14.2
v0.14.3
v0.14.4
v0.14.5
v0.14.6
v0.14.7
v0.14.8
v0.14.9
v0.15.0
v0.15.1
v0.15.10
v0.15.11
v0.15.12
v0.15.13
v0.15.14
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.15.6
v0.15.7
v0.15.8
v0.15.9
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.17.6
v0.17.7
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.19.4
v0.19.5
v0.2.0
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.22.0
v0.22.1
v0.22.2
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.5.10
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.11
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0