CVE-2025-54059 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-54059 PUBLISHED CVSS 4.400000095367432 MEDIUM

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

EPSS 0.02% · 6.2th percentile

Risk Scores

CVSS v3.1

4.400000095367432

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score

0.02%

6.2th percentile

Affected Products

Vendor	Product	Versions
chainguard.dev	melange	0.23.0
chainguard-dev	melange	*

Timeline

Jan 21, 1970 Fix PR Merged
Jan 21, 1970 Fix PR Merged
Jan 21, 1970 Security Advisory
Jul 18, 2025 CVE Published
Jul 18, 2025 Coalition ESS Score
Jul 19, 2025 EPSS Score
Jul 22, 2025 Coalition ESS Score
Jul 28, 2025 EPSS Score
Aug 5, 2025 EPSS Score
Aug 14, 2025 EPSS Score
Aug 22, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score

References

Open in Interactive Console →