Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-29049
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): LOW
Activity log
- Created suggestion
melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
References
Affected products
melange
- ==<= 0.40.5
Matching in nixpkgs
pkgs.melange
Build APKs from source code
pkgs.ocamlPackages.melange
Toolchain to produce JS from Reason/OCaml
pkgs.ocamlPackages.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
pkgs.ocamlPackages_latest.melange
Toolchain to produce JS from Reason/OCaml
pkgs.ocamlPackages.melange-json-native
Compositional JSON encode/decode PPX for OCaml
pkgs.ocamlPackages_latest.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
pkgs.ocamlPackages_latest.melange-json-native
Compositional JSON encode/decode PPX for OCaml
Package maintainers
-
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
-
@GirardR1006 Julien Girard-Satabin <julien.girard2@cea.fr>