GHSA-7rp8-r62p-q6wcMediumCVSS 4.3

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

Published
March 2, 2026
Last Modified
July 7, 2026

🔗 CVE IDs covered (1)

📋 Description

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <= 0.40.5.

Fix: Merged Acknowledgements

Thank you to Oleh Konko from 1seal for discovering and reporting this issue.

🎯 Affected products1

  • go/chainguard.dev/melange:< 0.43.4

🔗 References (6)