Is chainguard.dev/melange affected by CVE-2026-25145?

Go chainguard.dev/melange is affected in >=0.14.0 <0.40.3.

Is CVE-2026-25145 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

medium

CVE-2026-25145

Q: Is CVE-2026-25145 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

Go · chainguard.dev/melange

Summary

melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange

Severity: medium
EPSS: 0.2% (p6)
Also known as: GHSA-2w4f-9fgg-q2v9, GO-2026-4409
Published: 2026-02-05

References

https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9
https://nvd.nist.gov/vuln/detail/CVE-2026-25145
https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4

Related advisories

CVE-2026-29050 — medium · Go/chainguard.dev/melange
CVE-2026-29049 — medium · Go/chainguard.dev/melange
CVE-2026-24843 — medium · Go/chainguard.dev/melange
CVE-2026-24844 — medium · Go/chainguard.dev/melange
CVE-2026-25143 — medium · Go/chainguard.dev/melange

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.