GHSA-fpg8-7664-jc5qHighCVSS 8.3

melange: Incomplete package integrity verification allows data section substitution

Published
July 10, 2026
Last Modified
July 10, 2026

🔗 CVE IDs covered (1)

📋 Description

Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

🎯 Affected products2

  • go/chainguard.dev/apko:< 1.2.9
  • go/chainguard.dev/melange:< 0.50.4

🔗 References (2)