CVE-2026-29051: Path Traversal in Melange via Unvalidated .PKGINFO Fields
Vulnerability ID: CVE-2026-29051
CVSS Score: 4.4
Published: 2026-04-23
Melange versions prior to 0.43.4 are vulnerable to a path traversal attack when processing untrusted APK packages with the --persist-lint-results flag. Attackers can manipulate the .PKGINFO metadata to write JSON files outside intended directories.
TL;DR
A path traversal vulnerability in Chainguard's melange tool (CVE-2026-29051, CVSS 4.4) allows attackers to perform arbitrary JSON file writes when the --persist-lint-results flag is enabled, requiring an update to version 0.43.4.
Technical Details
- CWE ID: CWE-22
- Attack Vector: Local (AV:L)
- CVSS v3.1: 4.4 (Medium)
- Impact: Arbitrary JSON File Write / Clobbering
- Exploit Status: Unexploited / No PoC
- KEV Status: Not Listed
Affected Systems
- melange CI/CD pipelines
- Automated APK linting infrastructure
-
melange: >= 0.32.0, < 0.43.4 (Fixed in:
0.43.4)
Code Analysis
Commit: 84f3b45
Fix path traversal vulnerability in lint results persistence
func containsPathTraversal(s string) bool {
return strings.Contains(s, "..") || strings.Contains(s, string(filepath.Separator)) || strings.Contains(s, "/")
}
Mitigation Strategies
- Upgrade melange to version 0.43.4 or later
- Avoid using the
--persist-lint-resultsflag with untrusted APK files - Execute melange within an isolated filesystem namespace or container
- Run the melange process as an unprivileged user
Remediation Steps:
- Identify the version of melange currently deployed in CI/CD pipelines.
- Update the binary or container image to version 0.43.4.
- Review build scripts and remove the
--persist-lint-resultsflag if the source APK is untrusted. - Implement log monitoring for path traversal error strings from the
saveLintResultsfunction.
References
Read the full report for CVE-2026-29051 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)