Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-25143

melange affected by potential host command execution via license-check YAML mode patch pipeline
Back to all
CVE

CVE-2026-25143

melange affected by potential host command execution via license-check YAML mode patch pipeline

An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context.                                                                                                                                                               

                                                                                                                                                                                        

The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions  $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process.                                                              

Fix: Fixed in bd132535 ,  Released in 0.40.3.

                                                                                                                                                                                 

Acknowledgements                                                                                                                                                                      

                                                                                                                                                                                        

melange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.8
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
7.8
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr, https://nvd.nist.gov/vuln/detail/CVE-2026-25143, https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030, https://github.com/chainguard-dev/melange

Severity

7.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.8
EPSS Probability
0.00009%
EPSS Percentile
0.00897%
Introduced Version
0.10.0,v0.2.0,v0.0.0-20221108141913-31569fc4da2b,v0.1.0,v0.0.0-20220411202609-94879cc3c6db
Fix Available
0.40.3,v0.40.3,v0.0.0-20260130150610-bd132535cd9f

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading