GHSA-rf4g-89h5-crcr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rf4g-89h5-crcr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rf4g-89h5-crcr/GHSA-rf4g-89h5-crcr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rf4g-89h5-crcr
- Aliases
- Related
- Published
- 2026-02-04T00:09:15Z
- Modified
- 2026-02-05T10:11:12.792309Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- melange affected by potential host command execution via license-check YAML mode patch pipeline
- Details
-
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context.
The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process.
Fix: Fixed in bd132535 , Released in 0.40.3.
Acknowledgements
melange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.
- Database specific
{ "github_reviewed_at": "2026-02-04T00:09:15Z", "github_reviewed": true, "cwe_ids": [ "CWE-78" ], "nvd_published_at": "2026-02-04T20:16:06Z", "severity": "HIGH" }- References
Affected packages
Go / chainguard.dev/melange
Package
- Name
- chainguard.dev/melange
- View open source insights on deps.dev
- Purl
- pkg:golang/chainguard.dev/melange