{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T02:26:02.914","vulnerabilities":[{"cve":{"id":"CVE-2025-54059","sourceIdentifier":"security-advisories@github.com","published":"2025-07-18T16:15:30.180","lastModified":"2026-06-17T09:39:20.900","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."},{"lang":"es","value":"Melange permite a los usuarios crear paquetes APK mediante pipelines declarativos. A partir de la versión 0.23.0 y anteriores a la 0.29.5, los archivos SBOM generados por Melange en APK tenían permisos de sistema de archivos en modo 666. Esto podría permitir que un usuario sin privilegios altere los SBOM de APK en una imagen en ejecución, lo que podría confundir a los escáneres de seguridad. Un atacante también podría realizar un ataque de DoS en circunstancias especiales. La versión 0.29.5 corrige el problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"chainguard-dev","product":"melange","versions":[{"version":">= 0.23.0, < 0.29.5","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-07-18T15:53:51.678522Z","id":"CVE-2025-54059","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-276"}]}],"references":[{"url":"https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/pull/1836","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/pull/2086","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/releases/tag/v0.23.0","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/releases/tag/v0.29.5","source":"security-advisories@github.com"},{"url":"https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh","source":"security-advisories@github.com"}]}}]}