VYPR
Moderate severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

CVE-2026-29049

Description

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
chainguard.dev/melangeGo
<= 0.40.5

Affected products

5

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.