CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-7rp8-r62p-q6wc: `melange update-cache` has unbounded HTTP download that can exhaust disk in CI

mediumCVSS 4.3CVE-2026-29049
melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <= 0.40.5. Fix: Merged Acknowledgements Thank you to Oleh Konko from 1seal for discovering and reporting this issue.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 4.3
Published
2026-03-02
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-7rp8-r62p-q6wc

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-29049coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories