melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set "pipeline[].uses" to a value containing "../" sequences or an absolute path. The "(*Compiled).compilePipeline" function in "pkg/build/compile.go" passed "uses" directly to "filepath.Join(pipelineDir, uses + ".yaml")" without validating the value, so the resolved path could escape each "--pipeline-dir" and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its "runs:" block is executed via "/bin/sh -c" in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects "uses" values that are absolute paths or contain "..", and verifies (via "filepath.Rel" after "filepath.Clean") that the resolved target remains within the pipeline directory. As a workaround, only run "melange build" against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of "pipeline[].uses" values and reject any containing ".." or leading "/".