melange, Path Traversal, CVE-not-provided (medium)

Listen to this Post

The vulnerability exists in melange’s `lint` command when the optional flag `–persist-lint-results` is used (also available via melange build --persist-lint-results). When this flag is enabled, melange reads the `.PKGINFO` control file from an APK being linted to extract the `arch` and `pkgname` fields. It then constructs an output file path for a JSON lint report by joining the user-supplied `–out-dir` with these two values, forming a filename like lint-<pkgname>-<pkgver>-r<epoch>.json. In affected versions (before v0.43.4), melange performed no validation on the `arch` or `pkgname` strings. An attacker who can supply a malicious APK (for example, in a CI pipeline that lints third‑party packages, or a build‑as‑a‑service environment) can embed path traversal sequences such as `..` or `/` (or platform‑specific separators like \) into `pkgname` or arch. Because the path is built via simple concatenation, an attacker can force the report to be written to an arbitrary location on the filesystem that the melange process can write to. For instance, a `pkgname` value of `../../etc/passwd` would cause the output path to traverse outside --out-dir. The written file is a JSON lint report; its content is partially attacker‑influenced (the lint findings reflect the malicious APK structure, but the attacker cannot directly execute code). However, the ability to write arbitrary files can lead to clobbering other JSON artifacts (e.g., overwriting build caches or critical configuration files). The issue only manifests when `–persist-lint-results` is explicitly passed – the flag is off by default. The attack requires the target to run melange against an untrusted APK with that flag enabled.

dailycve form:

Platform: melange
Version: before v0.43.4
Vulnerability: Path traversal via .PKGINFO
Severity: medium
date: 2026-04-23

Prediction: Patched version v0.43.4

What Undercode Say:

Simulate malicious APK .PKGINFO content
echo "pkgname = ../../../tmp/evil" > .PKGINFO
echo "arch = x86_64" >> .PKGINFO
Run melange lint with vulnerable flag (pre-patch)
melange lint --persist-lint-results --out-dir ./reports malicious.apk
After patch (v0.43.4), validation rejects path sequences
melange lint --persist-lint-results --out-dir ./reports malicious.apk
Expected error: invalid pkgname contains '..' or '/'

Exploit:

An attacker crafts an APK where the `.PKGINFO` file contains pkgname = ../../sensitive/lint-result.json. When a victim runs melange lint --persist-lint-results --out-dir /safe/path malicious.apk, melange writes the JSON report to `/safe/path/../../sensitive/lint-result.json` → effectively /sensitive/lint-result.json. The attacker can overwrite any `.json` file writable by the melange process, potentially disrupting services or poisoning build pipelines.

Protection from this CVE:

  • Upgrade to melange v0.43.4 or later, which validates `arch` and `pkgname` against .., /, and filepath.Separator.
  • Do not pass `–persist-lint-results` when linting APKs from untrusted sources.
  • Run melange as a low‑privileged user and confine writes to an isolated directory (e.g., a dedicated temp folder with no sensitive files).
  • Use filesystem capabilities or containers to restrict write permissions.

Impact:

An unauthenticated attacker (supplying a malicious APK) can write a partially‑controlled JSON file to an arbitrary location on the target system, limited only by the melange process’s filesystem permissions. This can corrupt critical JSON artifacts, overwrite configuration files, or break downstream processes that rely on specific JSON content. No direct code execution; however, combined with other vulnerabilities, the arbitrary write could be escalated. The risk is highest in automated CI/CD environments that routinely lint external APKs with `–persist-lint-results` enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top