CVE-2026-29051: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in chainguard-dev melange
CVE-2026-29051 is a path traversal vulnerability in chainguard-dev melange versions 0. 32. 0 up to but not including 0. 43. 4. When the --persist-lint-results flag is used, melange constructs output file paths from unvalidated values read from APK metadata, allowing an attacker supplying a malicious APK to cause melange to write JSON lint reports to arbitrary filesystem locations. This can overwrite existing JSON files but does not allow direct code execution. The vulnerability only affects deployments explicitly using the --persist-lint-results flag, which is off by default. The issue is fixed in version 0. 43.
AI Analysis
Technical Summary
Melange, a tool for building APK packages, had a path traversal vulnerability (CWE-22) in versions 0.32.0 through 0.43.3 when using the --persist-lint-results option. The tool concatenated output paths using unvalidated 'arch' and 'pkgname' values from the APK's .PKGINFO file, allowing attackers who can supply APKs to cause arbitrary file writes of JSON lint reports. This could overwrite existing JSON artifacts on disk. The vulnerability does not lead to code execution. It was fixed in version 0.43.4 by validating these values to disallow '..' and path separators before path construction.
Potential Impact
An attacker able to supply APKs to a melange-based lint or build pipeline that uses the --persist-lint-results flag can cause melange to write JSON lint report files to arbitrary paths on the filesystem accessible by the melange process. This can overwrite or clobber existing JSON files, potentially disrupting build or lint results. There is no direct confidentiality or code execution impact. The attack requires the flag to be enabled and the ability to supply APKs to the pipeline.
Mitigation Recommendations
A fix is available in melange version 0.43.4, which validates input values to prevent path traversal. Until upgrading, do not use the --persist-lint-results flag on untrusted APKs. Running melange as a low-privileged user and restricting output directories can limit impact. Since the flag is off by default, disabling it avoids exposure. Patch status is not explicitly stated but the fix is included in version 0.43.4; users should upgrade to this version or later.
CVE-2026-29051: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in chainguard-dev melange
Description
CVE-2026-29051 is a path traversal vulnerability in chainguard-dev melange versions 0. 32. 0 up to but not including 0. 43. 4. When the --persist-lint-results flag is used, melange constructs output file paths from unvalidated values read from APK metadata, allowing an attacker supplying a malicious APK to cause melange to write JSON lint reports to arbitrary filesystem locations. This can overwrite existing JSON files but does not allow direct code execution. The vulnerability only affects deployments explicitly using the --persist-lint-results flag, which is off by default. The issue is fixed in version 0. 43.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Melange, a tool for building APK packages, had a path traversal vulnerability (CWE-22) in versions 0.32.0 through 0.43.3 when using the --persist-lint-results option. The tool concatenated output paths using unvalidated 'arch' and 'pkgname' values from the APK's .PKGINFO file, allowing attackers who can supply APKs to cause arbitrary file writes of JSON lint reports. This could overwrite existing JSON artifacts on disk. The vulnerability does not lead to code execution. It was fixed in version 0.43.4 by validating these values to disallow '..' and path separators before path construction.
Potential Impact
An attacker able to supply APKs to a melange-based lint or build pipeline that uses the --persist-lint-results flag can cause melange to write JSON lint report files to arbitrary paths on the filesystem accessible by the melange process. This can overwrite or clobber existing JSON files, potentially disrupting build or lint results. There is no direct confidentiality or code execution impact. The attack requires the flag to be enabled and the ability to supply APKs to the pipeline.
Mitigation Recommendations
A fix is available in melange version 0.43.4, which validates input values to prevent path traversal. Until upgrading, do not use the --persist-lint-results flag on untrusted APKs. Running melange as a low-privileged user and restricting output directories can limit impact. Since the flag is off by default, disabling it avoids exposure. Patch status is not explicitly stated but the fix is included in version 0.43.4; users should upgrade to this version or later.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-03T17:50:11.243Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eab7a187115cfb68850e1b
Added to database: 4/24/2026, 12:21:53 AM
Last enriched: 4/24/2026, 12:36:52 AM
Last updated: 4/24/2026, 6:10:27 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.