CVE-2026-25121

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14	Patch
https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-04 19:16

Updated : 2026-02-20 21:31

NVD link : CVE-2026-25121

Mitre link : CVE-2026-25121

CVE.ORG link : CVE-2026-25121

JSON object : View

Products Affected

chainguard

apko

CWE

CWE-23

Relative Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-25121", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-04T19:16:14.790", "references": [{"url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "apko permite a los usuarios construir y publicar im\u00e1genes de contenedor OCI construidas a partir de paquetes apk. Desde la versi\u00f3n 0.14.8 hasta antes de la 1.1.1, se descubri\u00f3 una vulnerabilidad de salto de ruta en la abstracci\u00f3n del sistema de archivos dirFS de apko. Un atacante que pueda suministrar un paquete APK malicioso (por ejemplo, a trav\u00e9s de un repositorio comprometido o con typosquatting) podr\u00eda crear directorios o enlaces simb\u00f3licos fuera de la ra\u00edz de instalaci\u00f3n prevista. Los m\u00e9todos MkdirAll, Mkdir y Symlink en pkg/apk/fs/rwosfs.go usan filepath.Join() sin validar que la ruta resultante permanezca dentro del directorio base. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "lastModified": "2026-02-20T21:31:35.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D4999F65-41B1-42B5-8BFE-C5DD249E18F3", "versionEndExcluding": "1.1.1", "versionStartIncluding": "0.14.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}