VDB
CVE-2025-54059
CVE-2025-54059
PUBLISHED
CVSS 4.400000095367432 MEDIUM
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.
EPSS 0.08% · 23.7th percentile
Risk Scores
CVSS 3.1
4.400000095367432
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.08%
23.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| chainguard.dev | melange | 0.23.0 |
| chainguard-dev | melange | * |
Exploit Intelligence
- https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh (circl)
- https://github.com/chainguard-dev/melange/pull/1836 (circl)
- https://github.com/chainguard-dev/melange/pull/2086 (circl)
- https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04 (circl)
- https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1 (circl)
- https://github.com/chainguard-dev/melange/releases/tag/v0.23.0 (circl)
- https://github.com/chainguard-dev/melange/releases/tag/v0.29.5 (circl)
Timeline
- Jan 21, 1970 Fix PR Merged
- Jan 21, 1970 Fix PR Merged
- Jan 21, 1970 Security Advisory
- Jul 18, 2025 CVE Published
- Jul 18, 2025 Coalition ESS Score
- Jul 19, 2025 EPSS Score
- Jul 22, 2025 Coalition ESS Score
- Jul 28, 2025 EPSS Score
- Aug 6, 2025 EPSS Score
- Aug 15, 2025 EPSS Score
- Aug 22, 2025 Coalition ESS Score
- Aug 25, 2025 EPSS Score
References
- https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh url
- https://github.com/chainguard-dev/melange/pull/1836 url
- https://github.com/chainguard-dev/melange/pull/2086 url
- https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04 url
- https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1 url
- https://github.com/chainguard-dev/melange/releases/tag/v0.23.0 url
- https://github.com/chainguard-dev/melange/releases/tag/v0.29.5 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-54059 advisory
- https://github.com/chainguard-dev/melange package