Melange, Arbitrary Command Execution via working-directory Substitution (CVE-not-provided)

Listen to this Post

The vulnerability exists in the processing of the `working-directory` field within Melange build pipelines. When a pipeline uses `${{vars.}}` or `${{inputs.}}` substitutions in the `working-directory` field, these user-provided values are not properly sanitized or escaped before being embedded into generated shell scripts. An attacker who controls the input values to a build (such as pipeline variables or inputs) can inject shell metacharacters. Because the content of the `working-directory` is placed directly into a shell command context without being quoted, these metacharacters are interpreted by the shell. This allows the attacker to break out of the intended directory path argument and execute arbitrary commands with the privileges of the build process. The issue is specifically in the code that constructs the shell commands for setting the working directory, where string concatenation without proper escaping creates a command injection primitive.
Platform: melange
Version: unknown
Vulnerability: Arbitrary command execution
Severity: unknown
date: unknown

Prediction: Patch released

What Undercode Say:

Example of a malicious input that could exploit this vulnerability
inputs.myinput="; cat /etc/passwd "
The constructed shell command might look like:
cd ${{inputs.myinput}} && ./build-script.sh
Which becomes:
cd ; cat /etc/passwd && ./build-script.sh

How Exploit:

Attacker provides crafted `${{inputs.}}` or `${{vars.}}` values containing shell metacharacters (e.g., ;, &&, |) followed by arbitrary commands during a build. These commands execute in the context of the Melange build runner.

Protection from this CVE:

Apply fix from commit e51ca30c. Sanitize and escape all user-controlled data used in shell command construction. Implement context-aware escaping for shell arguments.

Impact:

Remote Code Execution (RCE), compromise of build integrity, potential supply chain attack.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top