CVE-2026-29049: `melange update-cache` has unbounded HTTP download that can exhaust disk in CI

March 2, 2026 (updated March 6, 2026)

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <= 0.40.5.

Fix: Merged Acknowledgements

melange thanks Oleh Konko from 1seal for discovering and reporting this issue.

References

github.com/advisories/GHSA-7rp8-r62p-q6wc
github.com/chainguard-dev/melange
github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
nvd.nist.gov/vuln/detail/CVE-2026-29049

Code Behaviors & Features

Detect and mitigate CVE-2026-29049 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →