melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

Vulnerability

CVE-2026-29049 is a resource exhaustion vulnerability in the melange update-cache functionality of melange (up to version 0.40.5). The bug lives in pkg/renovate/cache/cache.go, where the code uses io.Copy to download content referenced by URIs in build configuration files without imposing any size limit or HTTP client timeout [1]. This means an attacker can supply a URI that points to a large or infinite stream of data.

Exploitation

An attacker with the ability to influence a melange build configuration (for example, by submitting a malicious pull request to a CI pipeline that uses melange) can set a update-cache URI to point to an attacker-controlled endpoint that sends data indefinitely. No authentication or special privileges beyond writing to a melange config file are needed [2]. The build runner will then download that content unboundedly.

Impact

Because the download has no size quota, it can exhaust available disk space on the build runner. In CI/CD environments, this can lead to denial of service for the runner, impacting all builds that share that infrastructure. There is no confidentiality or integrity impact described, but availability is severely affected [3].

Mitigation

As of the publication date (March 6, 2026), no patch is publicly available [1]. Users are advised to restrict the ability to modify melange configurations to trusted parties only, and to monitor disk usage on runners that process external build configs. Until a patch is released, manual validation of URIs in update-cache directives or use of network-level controls to limit download sizes may be necessary.