| id: GO-2025-3815 |
| modules: |
| - module: chainguard.dev/melange |
| versions: |
| - introduced: 0.23.0 |
| - fixed: 0.29.5 |
| vulnerable_at: 0.29.4 |
| summary: |- |
| melange's world-writable permissions expose SBOM files to potential image |
| tampering in chainguard.dev/melange |
| cves: |
| - CVE-2025-54059 |
| ghsas: |
| - GHSA-5662-cv6m-63wh |
| references: |
| - advisory: https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54059 |
| - web: https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04 |
| - web: https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1 |
| - web: https://github.com/chainguard-dev/melange/pull/1836 |
| - web: https://github.com/chainguard-dev/melange/pull/2086 |
| - web: https://github.com/chainguard-dev/melange/releases/tag/v0.29.5 |
| source: |
| id: GHSA-5662-cv6m-63wh |
| created: 2025-07-28T21:01:47.748599289Z |
| review_status: UNREVIEWED |
