CVE-2026-25145 is a path traversal vulnerability classified under CWE-22 found in the melange tool developed by chainguard-dev, which is used for building apk packages via declarative pipelines. Specifically, versions from 0.14.0 to before 0.40.3 contain a flaw in the LicensingInfos function located in pkg/config/config.go. This function reads license files specified in the copyright[].license-path field without properly validating that the file paths remain confined within the intended workspace directory. An attacker capable of influencing the melange configuration file—commonly through pull request-driven continuous integration (CI) or build-as-a-service scenarios—can exploit this by inserting '../' sequences in the license-path to traverse directories outside the workspace. This allows reading arbitrary files on the host system. The contents of these files are then embedded into the generated Software Bill of Materials (SBOM) as license text, effectively leaking sensitive host data through build artifacts. The vulnerability requires user interaction to trigger the build process but does not require any privileges or authentication. The CVSS v3.1 base score is 5.5 (medium severity), reflecting local attack vector with low complexity, no privileges required, user interaction needed, and high confidentiality impact but no integrity or availability impact. The issue was publicly disclosed on February 4, 2026, and patched in melange version 0.40.3. No known exploits in the wild have been reported to date.

For European organizations, this vulnerability poses a significant risk of sensitive data leakage from build environments, especially those employing melange in CI/CD pipelines or build-as-a-service platforms. Attackers who can submit or influence build configurations—such as external contributors in open-source projects or third-party developers—could exploit this flaw to access confidential files on build hosts, including credentials, proprietary source code, or internal documentation. The exfiltrated data embedded in SBOMs may then be inadvertently shared or exposed, increasing the risk of intellectual property theft or compliance violations under regulations like GDPR. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach could lead to reputational damage, regulatory penalties, and further targeted attacks. Organizations relying on melange for package builds should consider the sensitivity of their build environments and the trustworthiness of contributors to mitigate exploitation risks.

1. Upgrade melange to version 0.40.3 or later, where the path traversal vulnerability is patched. 2. Restrict who can influence melange configuration files, especially in CI/CD pipelines—limit pull request merges and build triggers to trusted users. 3. Implement strict validation and sanitization of all inputs in build configurations, particularly paths specifying license files. 4. Isolate build environments using containerization or sandboxing to limit access to host filesystem outside the workspace. 5. Monitor build artifacts and SBOM outputs for unexpected or suspicious license text content that may indicate exfiltration attempts. 6. Employ file integrity monitoring on build hosts to detect unauthorized file reads or access patterns consistent with path traversal. 7. Review and audit existing SBOMs generated by affected melange versions for embedded sensitive data and rotate any potentially exposed credentials. 8. Educate developers and CI administrators about the risks of accepting untrusted configuration inputs and enforce code review policies accordingly.