Chainguard: >> Melange >> 0.1.0 Security Vulnerabilities
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-03-06