{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "source": "REFERENCES"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac"
            }
          ],
          "repo": "https://github.com/chainguard-dev/melange",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-q2pw-xx38-p64j"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29051.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "0.32.0"
          },
          {
            "fixed": "0.43.4"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-\u003cpkgname\u003e-\u003cpkgver\u003e-r\u003cepoch\u003e.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.",
  "id": "CVE-2026-29051",
  "modified": "2026-07-08T05:37:33.754002062Z",
  "published": "2026-04-24T00:00:36.253Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29051.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29051"
    },
    {
      "type": "FIX",
      "url": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "melange has Path Traversal via .PKGINFO in --persist-lint-results"
}