CNNVD-202602-587 Information

CNNVD ID

CNNVD-202602-587

Related CVE

CVE-2026-25145

• CNNVD Published: 2026-02-04

Description (Chinese)

melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.14.0版本至0.40.3之前版本存在路径遍历漏洞，该漏洞源于LicensingInfos函数读取许可证文件时未验证路径，可能导致路径遍历和读取任意文件。

Description (English)

Melange is a source-based software for building APK from Chaingulard open source. There is a loophole in the path prior to version 0.14.0 to 0.40.3, which stems from the failure to verify the path when the Licensing Infos function reads the licence file, which may lead to the path going through and reading any file.

Hazard Level

High

Vulnerability Type

路径遍历

Affected Vendor

Chainguard

Published

2026-02-04

Last Modified

2026-02-24

References

https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4 https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9

Patch

https://github.com/chainguard-dev/melange/releases