`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

GHSA-7rp8-r62p-q6wc · CVE-2026-29049 · GO-2026-4588

Published Mar 2, 2026 · Modified Mar 23, 2026

Description

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <= 0.40.5.

Fix: Merged
Acknowledgements

melange thanks Oleh Konko from 1seal for discovering and reporting this issue.

References

WEB https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-29049
PACKAGE https://github.com/chainguard-dev/melange

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes