CVE-2025-54059
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard-dev | melange | 0.23.0 |
| chainguard-dev | melange | 0.29.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in melange versions from 0.23.0 up to but not including 0.29.5 involves the Software Bill of Materials (SBOM) files generated within APK packages being created with overly permissive file permissions (mode 666). This means that these SBOM files are world-writable, allowing any unprivileged user on the system to modify them. Such tampering can mislead security scanners that rely on SBOMs for verifying package integrity. Additionally, under certain conditions, an attacker could exploit this to cause a denial of service (DoS). The issue was fixed in version 0.29.5 by tightening the file permissions to mode 644, restricting write access to the owner only. [5, 3, 2]
How can this vulnerability impact me? :
The vulnerability allows unprivileged local users to modify SBOM files inside running APK images due to the files having world-writable permissions. This tampering can confuse or mislead security scanners that depend on SBOMs for integrity verification, potentially hiding malicious changes or vulnerabilities. Furthermore, under special circumstances, an attacker could exploit this to cause a denial of service (DoS), impacting the availability of the system or service. The overall impact is limited to integrity and availability, with no confidentiality loss. [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the file permissions of SBOM files generated by melange in your APK packages. Specifically, look for SBOM files with overly permissive permissions mode 666 (world-writable). For example, you can run commands to find such files inside your running images or build directories, such as: `find /path/to/apk/files -name '*.spdx.json' -perm 666 -ls` or `ls -l /path/to/apk/files/*.spdx.json` to see if the files have permissions '-rw-rw-rw-'. Identifying SBOM files with these permissions indicates the presence of the vulnerability. [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade melange to version 0.29.5 or later, where the vulnerability is fixed by tightening the file permissions of SBOM files and signature tarballs to mode 644 (read/write for owner, read-only for others). This prevents unprivileged users from modifying these files. If upgrading is not immediately possible, manually change the permissions of existing SBOM files to 644 using a command like `chmod 644 /path/to/sbom/files/*.spdx.json` to restrict write access. Additionally, review and restrict access controls on the directories containing these files to prevent unauthorized modifications. [1, 2, 3, 5]