VDB

CVE-2025-54059

CVE-2025-54059 PUBLISHED CVSS 4.400000095367432 MEDIUM

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

EPSS 0.08% · 23.7th percentile

Risk Scores

CVSS 3.1
4.400000095367432
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.08%
23.7th percentile

Affected Products

VendorProductVersions
chainguard.devmelange0.23.0
chainguard-devmelange*

Timeline

  • Jan 21, 1970 Fix PR Merged
  • Jan 21, 1970 Fix PR Merged
  • Jan 21, 1970 Security Advisory
  • Jul 18, 2025 CVE Published
  • Jul 18, 2025 Coalition ESS Score
  • Jul 19, 2025 EPSS Score
  • Jul 22, 2025 Coalition ESS Score
  • Jul 28, 2025 EPSS Score
  • Aug 6, 2025 EPSS Score
  • Aug 15, 2025 EPSS Score
  • Aug 22, 2025 Coalition ESS Score
  • Aug 25, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›