CVE-2026-25122

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09	Patch
https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-04 19:16

Updated : 2026-02-20 21:31

NVD link : CVE-2026-25122

Mitre link : CVE-2026-25122

CVE.ORG link : CVE-2026-25122

JSON object : View

Products Affected

chainguard

apko

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-25122", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-04T19:16:14.960", "references": [{"url": "https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0."}, {"lang": "es", "value": "apko permite a los usuarios construir y publicar im\u00e1genes de contenedor OCI construidas a partir de paquetes apk. Desde la versi\u00f3n 0.14.8 hasta antes de la 1.1.0, expandapk.Split drena el primer flujo gzip de un archivo APK a trav\u00e9s de io.Copy(io.Discard, gzi) sin l\u00edmites expl\u00edcitos. Con un flujo de entrada controlado por un atacante, esto puede forzar un gran trabajo de descompresi\u00f3n gzip y llevar al agotamiento de recursos (impacto en la disponibilidad). La funci\u00f3n Split lee la primera cabecera tar, luego drena el resto del flujo gzip leyendo directamente del lector gzip sin ning\u00fan l\u00edmite m\u00e1ximo de bytes descomprimidos o tope de relaci\u00f3n de descompresi\u00f3n. Un llamador que analiza flujos APK controlados por un atacante puede verse forzado a gastar un tiempo excesivo de CPU descomprimiendo datos gzip, lo que lleva a tiempos de espera o ralentizaci\u00f3n del proceso. Este problema ha sido parcheado en la versi\u00f3n 1.1.0."}], "lastModified": "2026-02-20T21:31:50.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D977E504-C3B8-403B-8277-A1A4A2DAB907", "versionEndExcluding": "1.1.0", "versionStartIncluding": "0.14.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}