The vulnerability CVE-2026-25145 affects chainguard-dev's melange, a tool used to build apk packages via declarative pipelines. Between versions 0.14.0 and before 0.40.3, melange's LicensingInfos function in pkg/config/config.go improperly validates paths specified in copyright[].license-path. Specifically, it does not restrict pathname traversal sequences such as '../', allowing attackers to escape the intended workspace directory. An attacker capable of influencing melange configuration files—common in CI/CD environments where builds are triggered by pull requests or external inputs—can specify license paths that point to arbitrary files on the host system. When melange reads these files to embed license information into the Software Bill of Materials (SBOM), it inadvertently includes the contents of sensitive files. This creates a covert channel for exfiltrating confidential data through build artifacts. The vulnerability requires no privileges (PR:N) but does require user interaction (UI:R) to trigger the build process. The attack vector is local (AV:L), meaning the attacker must have the ability to modify configuration files or influence the build environment. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. No known exploits are reported in the wild, and the issue was patched in version 0.40.3.

For European organizations, this vulnerability poses a significant confidentiality risk in environments that use melange for package building, especially in CI/CD pipelines that accept external contributions or run build-as-a-service models. Sensitive files on build hosts, such as credentials, configuration files, or proprietary source code, could be exposed through manipulated SBOM license fields. This could lead to intellectual property theft, leakage of personal data subject to GDPR, or exposure of internal infrastructure details. Since the vulnerability requires the ability to influence configuration files, organizations with open or semi-open build environments are at higher risk. The impact is heightened in sectors with strict data protection requirements, such as finance, healthcare, and government. However, the lack of integrity or availability impact limits the scope to data confidentiality breaches. The medium CVSS score reflects the moderate ease of exploitation combined with the significant confidentiality impact.

European organizations should immediately upgrade melange to version 0.40.3 or later where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement strict validation and sanitization of all inputs influencing melange configuration files, particularly license-path entries. Restrict write access to configuration files to trusted users and processes only, minimizing the risk of unauthorized modifications. Employ build isolation techniques such as containerization or sandboxing to limit the scope of file system access during builds. Monitor build artifacts and SBOM outputs for unexpected license text content that could indicate exploitation attempts. Additionally, enforce strict code review and CI pipeline security controls to prevent untrusted code or configuration changes from being merged or executed. Finally, consider implementing file system access controls or mandatory access control (MAC) policies to prevent unauthorized file reads by build processes.