GHSA-2w4f-9fgg-q2v9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2w4f-9fgg-q2v9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2w4f-9fgg-q2v9/GHSA-2w4f-9fgg-q2v9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2w4f-9fgg-q2v9
- Aliases
- Related
- Published
- 2026-02-04T00:09:57Z
- Modified
- 2026-02-05T10:25:59.451228Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- melange has a path traversal in license-path which allows reading files outside workspace
- Details
-
An attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The
LicensingInfosfunction inpkg/config/config.goreads license files specified incopyright[].license-pathwithout validating that paths remain within the workspace directory, allowing path traversal via../sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts.Fix: Merged in commit 2f95c9f4
Acknowledgements
melange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.
- Database specific
{ "github_reviewed_at": "2026-02-04T00:09:57Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "nvd_published_at": "2026-02-04T20:16:06Z", "severity": "MODERATE" }- References
Affected packages
Go / chainguard.dev/melange
Package
- Name
- chainguard.dev/melange
- View open source insights on deps.dev
- Purl
- pkg:golang/chainguard.dev/melange