Melange is a tool for building APK packages using declarative pipelines. In affected versions (>=0.32.0 and <0.43.4), when the opt-in flag --persist-lint-results is used, melange constructs output file paths by joining the --out-dir parameter with the arch and pkgname values read from the APK's .PKGINFO control file. These values were not validated for path separators or '..' sequences, enabling a path traversal vulnerability (CWE-22). An attacker who can supply an APK to a melange-based lint/build pipeline can cause melange to write the lint JSON report to arbitrary paths accessible by the melange process, potentially overwriting existing JSON artifacts. There is no direct code execution vector. The vulnerability is fixed in melange v0.43.4 by validating arch and pkgname for invalid path characters before path construction. The vulnerability only applies when --persist-lint-results is explicitly enabled.

An attacker able to supply APKs to a melange lint/build pipeline that uses the --persist-lint-results flag can cause arbitrary file write of JSON lint reports to paths outside the intended output directory. This can overwrite existing JSON files, potentially disrupting build or lint artifacts. There is no direct impact on confidentiality or code execution. The impact is limited to integrity and availability of JSON lint report files. The vulnerability does not affect default melange usage since the flag is off by default.

The vulnerability is fixed in melange version 0.43.4 by validating input values before path construction. Users should upgrade to version 0.43.4 or later. As a workaround, do not use the --persist-lint-results flag when linting or building APKs with untrusted .PKGINFO contents. Running melange as a low-privileged user and restricting write permissions to an isolated directory further limits potential impact. Patch status is not explicitly stated in vendor advisory content, but the fix is included in version 0.43.4.