CVE-2025-54059 is a medium-severity vulnerability identified in the chainguard-dev melange tool, specifically affecting versions from 0.23.0 up to but not including 0.29.5. Melange is a tool used to build APK packages through declarative pipelines, and it generates Software Bill of Materials (SBOM) files as part of the packaging process. The vulnerability arises from incorrect default file system permissions assigned to these SBOM files within the APKs. Specifically, the SBOM files were created with permissions mode 666 (readable and writable by all users), which is overly permissive. This misconfiguration allows unprivileged users on the system to modify or tamper with the SBOM files of running images. Such tampering can mislead security scanners that rely on SBOMs for verifying package integrity and security posture, potentially masking malicious modifications or vulnerabilities. Additionally, under certain conditions, attackers could exploit this to cause denial of service (DoS), for example by corrupting or deleting SBOM files critical to system operations or security monitoring. The vulnerability does not require user interaction but does require local privileges (low complexity) to exploit. The issue was resolved in version 0.29.5 of melange by correcting the default file permissions to a more secure setting, preventing unauthorized modification of SBOM files. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 4.4, reflecting limited impact on confidentiality but some impact on integrity and availability due to potential tampering and DoS. This vulnerability is categorized under CWE-276 (Incorrect Default Permissions).

For European organizations using melange within their software supply chain or containerized environments, this vulnerability poses a risk to the integrity and availability of SBOM data, which is critical for security auditing, compliance, and vulnerability management. Tampering with SBOM files could lead to inaccurate security assessments, allowing malicious code or vulnerable components to go undetected. This undermines trust in software provenance and could facilitate further attacks or compliance violations, especially under strict European regulations like GDPR and NIS Directive that emphasize security and transparency. The potential for denial of service, while conditional, could disrupt automated build or deployment pipelines, impacting operational continuity. Organizations relying on melange for APK packaging should consider this vulnerability a moderate risk, particularly if multiple users have local access to build or runtime environments. The lack of remote exploitability limits the threat surface, but insider threats or compromised accounts could leverage this vulnerability to degrade security controls or disrupt services.

European organizations should upgrade melange to version 0.29.5 or later immediately to ensure the default file permissions for SBOM files are correctly set. Until the upgrade is applied, restrict local user permissions on build and runtime environments to trusted personnel only, minimizing the risk of unauthorized file tampering. Implement file integrity monitoring specifically targeting SBOM files to detect unauthorized changes promptly. Incorporate access control mechanisms such as mandatory access control (e.g., SELinux, AppArmor) to enforce stricter file permissions beyond default settings. Review and harden pipeline and container runtime security policies to limit write access to critical files. Additionally, integrate SBOM verification steps in CI/CD pipelines to detect inconsistencies or tampering early. Regularly audit user accounts and permissions on build systems to prevent privilege escalation or misuse. Finally, maintain up-to-date vulnerability management processes to quickly respond to new patches and advisories related to melange and related tooling.