Melange Unbounded Disk Write Vulnerability in Update-Cache Function

Vulnerability

A vulnerability exists in Melange versions through 0.40.5, allowing unbounded disk writes via the 'update-cache' function. This occurs because the function downloads URIs from build configurations without any size limit or HTTP client timeout. An attacker can exploit this by inserting a controlled URI into the Melange config, leading to excessive disk usage on the build runner.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting disk space on the build runner.

Added: Mar 6, 2026, 7:53 AM

Updated: Mar 6, 2026, 7:53 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Melange Unbounded Disk Write Vulnerability in Update-Cache Function

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating