Melange is a tool for building apk packages using declarative pipelines. In versions from 0.32.0 up to 0.43.4, the function responsible for compiling pipelines did not validate the 'uses' field in pipeline configurations, allowing path traversal via '../' or absolute paths. This flaw permitted attackers controlling configuration files (e.g., in CI or build-as-a-service environments) to cause melange to load and execute arbitrary pipeline YAML files outside the intended directory, leading to execution of shell commands during the build sandbox. The issue was fixed in version 0.43.4 by rejecting absolute paths and '..' sequences and ensuring the resolved path stays within the pipeline directory.

An attacker able to influence melange configuration files can execute arbitrary shell commands during the build process by causing melange to load and run out-of-tree pipeline files. This bypasses the normal review boundary for pipeline definitions, potentially leading to unauthorized code execution with the privileges of the melange process. The CVSS 3.1 score is 6.1 (medium severity), reflecting local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact.

A fix is available in melange version 0.43.4, which rejects 'uses' values that are absolute paths or contain '..' sequences and verifies that resolved paths remain within the pipeline directory. Until upgrading, users should only run 'melange build' on configuration files from trusted sources. In CI systems that build user-supplied melange configurations, manual review of 'pipeline[].uses' values should be enforced to reject any containing '..' or leading '/'. Patch status is not explicitly confirmed beyond the fix in version 0.43.4; users should upgrade to this version or later.