CVE-2026-29049
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
Melange version 0.40.5 and earlier downloads URIs from build configs using io.Copy without any size limit or HTTP client timeout. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk space on the build runner.
Risk Assessment
The risk is a denial-of-service attack via disk exhaustion on the CI/CD server, potentially disrupting build processes and causing infrastructure failure.
Recommendation
Upgrade melange to version 0.43.4 or later, which includes a patch that limits download size and sets an HTTP connection timeout.
Original NVD description (English source)
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. Version 0.43.4 contains a patch.

