Vulnerability in Chainguard-dev Melange
CVE-2025-54059
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unpriv…
EPSS: 0.001 (23.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.4 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.
Affected products
- Chainguard-dev Melange — versions >= 0.23.0, < 0.29.5
Weakness classification (CWE)
References
- https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh (x_refsource_CONFIRM)
- https://github.com/chainguard-dev/melange/pull/1836 (x_refsource_MISC)
- https://github.com/chainguard-dev/melange/pull/2086 (x_refsource_MISC)
- https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04 (x_refsource_MISC)
- https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1 (x_refsource_MISC)
- https://github.com/chainguard-dev/melange/releases/tag/v0.23.0 (x_refsource_MISC)
- https://github.com/chainguard-dev/melange/releases/tag/v0.29.5 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-54059?
- CVE-2025-54059 is a medium-severity vulnerability in Chainguard-dev Melange, classified under Incorrect Default Permissions. CVSS score: 4.4/10. Published 2025-07-18.
- How severe is CVE-2025-54059?
- Medium severity. CVSS v3 base score is 4.4 out of 10.