CVE-2026-25145
Path Traversal in Melange Allows Arbitrary File Read via SBOM
Publication date: 2026-02-04
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | melange | From 0.14.0 (inc) to 0.40.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25145 is a path traversal vulnerability in the melange package management tool versions 0.14.0 to before 0.40.3. It occurs because the LicensingInfos function reads license files specified in configuration without properly validating that the file paths stay within the intended workspace directory. An attacker who can influence the melange configuration file (for example, via pull request-driven CI or build-as-a-service scenarios) can include path traversal sequences like "../" in the license-path parameter. This allows the attacker to read arbitrary files from the host system outside the workspace.'}, {'type': 'paragraph', 'content': 'The contents of these arbitrary files are then embedded into the generated Software Bill of Materials (SBOM) as license text, enabling exfiltration of sensitive data through build artifacts. The vulnerability was patched in version 0.40.3 by adding strict validation to ensure license paths are cleaned and confined within the workspace directory, rejecting any path traversal or absolute paths.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker who can influence your melange configuration files to read arbitrary sensitive files from your host system. These files could include secrets, credentials, or other confidential information.
The attacker does not need any special privileges but requires the ability to modify configuration files used in the build process, such as through pull request-driven CI or build-as-a-service environments.
The sensitive data read from the host system is embedded into the generated SBOM as license text, which can then be exfiltrated through build artifacts, potentially leading to data leaks.
The vulnerability affects confidentiality (high impact) but does not affect integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by inspecting melange configuration files for suspicious license-path entries that include path traversal sequences such as '../'. Since the vulnerability involves reading arbitrary files via crafted license-paths, checking for such patterns in configuration files or build pipelines is key."}, {'type': 'paragraph', 'content': "There are no specific network detection commands provided, but you can search your melange configuration files or CI build configurations for license-path values containing '../' or absolute paths."}, {'type': 'list_item', 'content': 'Use grep or similar tools to find suspicious license-path entries, for example:'}, {'type': 'list_item', 'content': 'grep -r "license-path:.*\\.\\./" /path/to/melange/configs'}, {'type': 'list_item', 'content': 'Check build logs or generated SBOMs for unexpected license text that may contain contents of sensitive files.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade melange to version 0.40.5 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch enforces strict validation of license-paths by cleaning and localizing paths to ensure they remain within the workspace directory, rejecting any path traversal or absolute paths.'}, {'type': 'paragraph', 'content': 'Additionally, review and restrict who can modify melange configuration files, especially in CI or build-as-a-service environments, to prevent untrusted users from injecting malicious license-paths.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, manually audit and sanitize license-path entries in configuration files to ensure they do not contain '../' sequences or absolute paths."}] [1, 2]